?
Solved

Internal Subdomain Externally Routable (Is this a problem?)

Posted on 2012-08-28
13
Medium Priority
?
825 Views
Last Modified: 2012-09-02
Greetings, I have a question....

I am planning to restructure my internal domain to be a subdomain of my external root domain (int.jcghome.com which would be internal to jcghome.com).  Research, and Microsoft, recommend this over separate domains, though that's also an option I am considering.

This is for a simple home network, with a dynamic IP address.  I use TZO as my dynamic DNS provider, and by default they enable wildcard domain lookups (*.jcghome.com).  Therefore, my internal subdomain, int.jcghome.com, would be routable to the internet (int.jcghome.com = www.jcghome.com).  Based on the recommendations from Microsoft and elsewhere, having an internal domain match anything routable externally is recommended against.. otherwise there's no need for the subdomain.

So, is having an internal subdomain which is externally routable of concern?  For this scenario, would the experts recommend I use a different TLD internally instead of a subdomain?
0
Comment
Question by:Atreyu79
  • 7
  • 4
  • 2
13 Comments
 

Author Comment

by:Atreyu79
ID: 38341606
Perhaps I should also mention that the internal domain is an AD domain, where I intend to house all my users and resources.  If it is a subdomain of the external domain, should I create domain controllers for both "jcghome.com" and one for a child domain of "int.jcghome.com"?  Or is simply having one AD server hosting "int.jcghome.com" as root OK?
0
 
LVL 12

Expert Comment

by:aindelicato
ID: 38341770
Your domain won't be accessible from the internet.

If you open port 80 on your firewall and point it to web server (www.jcghome.com) that will be the only thing that is accessible from the internet.

I strongly suggest putting the web server in a DMZ, most routers/firewalls nowadays allow for this very easily.
0
 

Author Comment

by:Atreyu79
ID: 38342046
Thanks aindelicato, for your reply!  This is the second time I asked the question to a panel of experts, with a similar & obvious response... so I'm thinking it was a dumb question.  I suppose if it simply resolves to my external IP address, there's nothing "public" about it if kept safe behind the firewall (using TMG 2010).  

Maybe I have a misunderstanding of the configuration.  What prompted my question was this from http://technet.microsoft.com/en-us/library/cc755946(v=ws.10)  :

Note  
You can also use the same name for the internal domain and the external domain. However, this method is not recommended. It creates name resolution problems because it introduces DNS names that are not unique. This method requires additional configuration to enable optimized performance.


My internal domain, int.jcghome.com, would technically not be unique since my provider allows wildcard domain lookups... and even though I'm sure name resolution would never be an issue, I'm hoping to not change any of this for a long time and want to implement what's "right" and as cleanly as possible.

For my servers in the DMZ, would they also belong to int.jcghome.com in AD, or would they be belong to jcghome.com in AD?

Also, if I am way off and spouting nonsense, don't be afraid to say so.  Until recently I never really put much thought into my domain setup.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 41

Accepted Solution

by:
footech earned 1000 total points
ID: 38342145
If you were to do this, simply having one DC hosting "int.jcghome.com" would be fine.

If I were you though I would create a different domain for your internal that is not related to your public domain name.  Whether this means using a different TLD like .local or some other domain name that doesn't exist is up to you.

Though I don't think it would present a security issue to you, the problem with having a domain name the same as one that exists to the public is the possibility of contacting the wrong server and getting erroneous information.  This can make diagnosing a problem harder if you think you're contacting one server but you're really talking to another.
0
 
LVL 12

Assisted Solution

by:aindelicato
aindelicato earned 1000 total points
ID: 38342182
The reason using a .com for an internal TLD is not recommended is because like stated in the article, internal hostnames are not resolvable.

don't think of www as a subdomain, it's just a hostname.

I would not use the wildcard for your DNS, I would create a specific A record for www.jcghome.com that points to your router's IP address.  You can have the router port forward 80/443 (whatever port you want) to TMG and have TMG pass the traffic to IIS.

You can keep the IIS server within your domain if you pass the traffic through TMG.
0
 

Author Comment

by:Atreyu79
ID: 38342250
That's how I've been running things for the last 12 years... but not because of any concious design.  Rather, it was me sitting in a dorm room figuring out this new "Active Directory" thing from Microsoft, and I ended up with an internal domain that I've never changed since.  During that same time, I have changed my external domain many times.  I do like having them detached from each other for that reason...

But this time around, I'd like to "design" it correctly, and I guess I have a mental block when thinking of separate domains as the correct design when that's what I accidentally did as a kid.

I considered "making up" my own TLD for my internal domain, but internet people vehemently oppose that because of possibility of ICANN reserving it down the road.  And then there's me, who has used "jcg.com" internally for 12 years (which is obviously registered to somebody else)... without any issues at all.

I'm starting to agree that for my situation, the better solution might be what you suggested, footech.  Separate external vs. internal domains... if for no other reason than it decouples them.  I could also eliminate whatever minor risk of duplicating names by registering my internal one as well if I really wanted.

Stuff to think about, thanks for your replies!
0
 

Assisted Solution

by:Atreyu79
Atreyu79 earned 0 total points
ID: 38342291
I'll have to check with TZO to see if I can turn off DNS wildcards, and specify which "host names" to use... www, mail, ftp etc.  If I can turn off the wild card, and specify which values to use instead, I would feel cleaner with the subdomain approach.

I don't mean to drag this out, but is it conflicting for the article to say "using a .com for an internal TLD is not recommended. ", but then suggestion subdomaining (even if it's a .com root) is preferred?
0
 
LVL 41

Expert Comment

by:footech
ID: 38342346
I wouldn't say that using .com for an internal TLD is not recommended (neither does the Technet page).  Just that when you do, you should make sure that domain name is unique.  When using something like .local as the internal TLD, there is no risk of that (unless you create it yourself), because .local is not resolveable on the internet.
0
 
LVL 41

Expert Comment

by:footech
ID: 38342393
If you decide to go the subdomain route, even though you may have the "jcghome.com" domain registered, you don't have to set up a DC for it.  Your internal, AD domain could be "int.jcghome.com".  You don't have to have any machines, whether in the DMZ or wherever that are part of an actual AD domain called "jcghome.com".  Even though you may have a webserver that is reachable via "www.jcghome.com", that machine could be part of the "int.jcghome.com" domain (or any other), and have a host name of "spanky" (and so the FQDN would be "spanky.int.jcghome.com") or whatever else you want to call it.

It is not ideal to have the wildcard be able to resolve, but it's pretty much the same scenario as what you've used for years, "jcg.com", which you don't own and haven't had a problem with.  Just because the FQDN isn't unique between across all domains (internal and external) doesn't guarantee that you will have a problem.  Just that it can make troubleshooting a problem more difficult.
0
 

Author Comment

by:Atreyu79
ID: 38342562
This hits it pretty much right on the head, thanks.  I looked at my TZO control panel online, and I can indeed disable wildcards, and add my own A records.  So everything you guys offered up has been a big help.  I learn much better being able to discuss my ordeal with people vs. scanning search results and forums where everybody thinks their opinion is irrefutable.

My only remaining curiosity is for friends who VPN into my network, or authenticate to it for any other reason.  If my internal domain is entirely different, say "spanky.net" and my external domain is "jcghome.com", I'm wondering if they will be confused when I tell them to enter spanky.net\username for authentication to vpn.jcghome.com.  I suppose those same types of things would exist even with the subdomain approach.  For example, they'd have to use int.jcghome.com\username for authentication to vpn.jcghome.com.

I suppose if I made my internal domain name match the external, except for the TLD, I could use the netbios name for authentication, and it would appear to match "what they are logging into".  For example, they could log in with jcghome\username to vpn.jcghome.com, or ftp.jcghome.com... and it would make more "sense" to them.  In your experiences, does this type of thing matter at all?  Or do you just require your users to "know what to use"?
0
 
LVL 41

Expert Comment

by:footech
ID: 38343182
Users definitely get confused, no way around that.  They can always use the NetBIOS name for the domain e.g. int\username.  With the VPN connection it's usually not a big deal, since the IP or FQDN they're connecting to is saved with the connection, so you typically only have to enter it once.  However, the username (with the domain prepended) has to be entered repeatedly for logons to various resources like OWA, VPN, etc.  Even if you save the credentials, usually there's a password policy so that they have to change it every so often.  If I ever have to logon to a user's machine and then log out, they typically don't know how to log themselves in.  They're so used to only having to type in their password that they don't even see that the username (which is automatically filled in with the last user logged on, unless you set a group policy) is not theirs, and if they do, sometimes they can't figure out how to enter another username.  :o
0
 

Author Comment

by:Atreyu79
ID: 38343256
Heh... Users...

Thanks for your time and insight.  I have what I need to get this going, and a better conceptual understanding as well.

John
0
 

Author Closing Comment

by:Atreyu79
ID: 38358442
Either solution is equal... they represent different ways of accomplishing the same basic thing.  However, EE only allows me to select one.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have a multi-homed DNS setup in windows, you can have issues with connectivity to the server that hosts the DNS services (or even member servers of your domain if this same DNS server is a DC). This is because windows registers all of its IPs…
One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
Integration Management Part 2
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses
Course of the Month17 days, 3 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question