Internal Subdomain Externally Routable (Is this a problem?)

Greetings, I have a question....

I am planning to restructure my internal domain to be a subdomain of my external root domain (int.jcghome.com which would be internal to jcghome.com).  Research, and Microsoft, recommend this over separate domains, though that's also an option I am considering.

This is for a simple home network, with a dynamic IP address.  I use TZO as my dynamic DNS provider, and by default they enable wildcard domain lookups (*.jcghome.com).  Therefore, my internal subdomain, int.jcghome.com, would be routable to the internet (int.jcghome.com = www.jcghome.com).  Based on the recommendations from Microsoft and elsewhere, having an internal domain match anything routable externally is recommended against.. otherwise there's no need for the subdomain.

So, is having an internal subdomain which is externally routable of concern?  For this scenario, would the experts recommend I use a different TLD internally instead of a subdomain?
Atreyu79Asked:
Who is Participating?
 
footechCommented:
If you were to do this, simply having one DC hosting "int.jcghome.com" would be fine.

If I were you though I would create a different domain for your internal that is not related to your public domain name.  Whether this means using a different TLD like .local or some other domain name that doesn't exist is up to you.

Though I don't think it would present a security issue to you, the problem with having a domain name the same as one that exists to the public is the possibility of contacting the wrong server and getting erroneous information.  This can make diagnosing a problem harder if you think you're contacting one server but you're really talking to another.
0
 
Atreyu79Author Commented:
Perhaps I should also mention that the internal domain is an AD domain, where I intend to house all my users and resources.  If it is a subdomain of the external domain, should I create domain controllers for both "jcghome.com" and one for a child domain of "int.jcghome.com"?  Or is simply having one AD server hosting "int.jcghome.com" as root OK?
0
 
aindelicatoCommented:
Your domain won't be accessible from the internet.

If you open port 80 on your firewall and point it to web server (www.jcghome.com) that will be the only thing that is accessible from the internet.

I strongly suggest putting the web server in a DMZ, most routers/firewalls nowadays allow for this very easily.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
Atreyu79Author Commented:
Thanks aindelicato, for your reply!  This is the second time I asked the question to a panel of experts, with a similar & obvious response... so I'm thinking it was a dumb question.  I suppose if it simply resolves to my external IP address, there's nothing "public" about it if kept safe behind the firewall (using TMG 2010).  

Maybe I have a misunderstanding of the configuration.  What prompted my question was this from http://technet.microsoft.com/en-us/library/cc755946(v=ws.10)  :

Note  
You can also use the same name for the internal domain and the external domain. However, this method is not recommended. It creates name resolution problems because it introduces DNS names that are not unique. This method requires additional configuration to enable optimized performance.


My internal domain, int.jcghome.com, would technically not be unique since my provider allows wildcard domain lookups... and even though I'm sure name resolution would never be an issue, I'm hoping to not change any of this for a long time and want to implement what's "right" and as cleanly as possible.

For my servers in the DMZ, would they also belong to int.jcghome.com in AD, or would they be belong to jcghome.com in AD?

Also, if I am way off and spouting nonsense, don't be afraid to say so.  Until recently I never really put much thought into my domain setup.
0
 
aindelicatoCommented:
The reason using a .com for an internal TLD is not recommended is because like stated in the article, internal hostnames are not resolvable.

don't think of www as a subdomain, it's just a hostname.

I would not use the wildcard for your DNS, I would create a specific A record for www.jcghome.com that points to your router's IP address.  You can have the router port forward 80/443 (whatever port you want) to TMG and have TMG pass the traffic to IIS.

You can keep the IIS server within your domain if you pass the traffic through TMG.
0
 
Atreyu79Author Commented:
That's how I've been running things for the last 12 years... but not because of any concious design.  Rather, it was me sitting in a dorm room figuring out this new "Active Directory" thing from Microsoft, and I ended up with an internal domain that I've never changed since.  During that same time, I have changed my external domain many times.  I do like having them detached from each other for that reason...

But this time around, I'd like to "design" it correctly, and I guess I have a mental block when thinking of separate domains as the correct design when that's what I accidentally did as a kid.

I considered "making up" my own TLD for my internal domain, but internet people vehemently oppose that because of possibility of ICANN reserving it down the road.  And then there's me, who has used "jcg.com" internally for 12 years (which is obviously registered to somebody else)... without any issues at all.

I'm starting to agree that for my situation, the better solution might be what you suggested, footech.  Separate external vs. internal domains... if for no other reason than it decouples them.  I could also eliminate whatever minor risk of duplicating names by registering my internal one as well if I really wanted.

Stuff to think about, thanks for your replies!
0
 
Atreyu79Author Commented:
I'll have to check with TZO to see if I can turn off DNS wildcards, and specify which "host names" to use... www, mail, ftp etc.  If I can turn off the wild card, and specify which values to use instead, I would feel cleaner with the subdomain approach.

I don't mean to drag this out, but is it conflicting for the article to say "using a .com for an internal TLD is not recommended. ", but then suggestion subdomaining (even if it's a .com root) is preferred?
0
 
footechCommented:
I wouldn't say that using .com for an internal TLD is not recommended (neither does the Technet page).  Just that when you do, you should make sure that domain name is unique.  When using something like .local as the internal TLD, there is no risk of that (unless you create it yourself), because .local is not resolveable on the internet.
0
 
footechCommented:
If you decide to go the subdomain route, even though you may have the "jcghome.com" domain registered, you don't have to set up a DC for it.  Your internal, AD domain could be "int.jcghome.com".  You don't have to have any machines, whether in the DMZ or wherever that are part of an actual AD domain called "jcghome.com".  Even though you may have a webserver that is reachable via "www.jcghome.com", that machine could be part of the "int.jcghome.com" domain (or any other), and have a host name of "spanky" (and so the FQDN would be "spanky.int.jcghome.com") or whatever else you want to call it.

It is not ideal to have the wildcard be able to resolve, but it's pretty much the same scenario as what you've used for years, "jcg.com", which you don't own and haven't had a problem with.  Just because the FQDN isn't unique between across all domains (internal and external) doesn't guarantee that you will have a problem.  Just that it can make troubleshooting a problem more difficult.
0
 
Atreyu79Author Commented:
This hits it pretty much right on the head, thanks.  I looked at my TZO control panel online, and I can indeed disable wildcards, and add my own A records.  So everything you guys offered up has been a big help.  I learn much better being able to discuss my ordeal with people vs. scanning search results and forums where everybody thinks their opinion is irrefutable.

My only remaining curiosity is for friends who VPN into my network, or authenticate to it for any other reason.  If my internal domain is entirely different, say "spanky.net" and my external domain is "jcghome.com", I'm wondering if they will be confused when I tell them to enter spanky.net\username for authentication to vpn.jcghome.com.  I suppose those same types of things would exist even with the subdomain approach.  For example, they'd have to use int.jcghome.com\username for authentication to vpn.jcghome.com.

I suppose if I made my internal domain name match the external, except for the TLD, I could use the netbios name for authentication, and it would appear to match "what they are logging into".  For example, they could log in with jcghome\username to vpn.jcghome.com, or ftp.jcghome.com... and it would make more "sense" to them.  In your experiences, does this type of thing matter at all?  Or do you just require your users to "know what to use"?
0
 
footechCommented:
Users definitely get confused, no way around that.  They can always use the NetBIOS name for the domain e.g. int\username.  With the VPN connection it's usually not a big deal, since the IP or FQDN they're connecting to is saved with the connection, so you typically only have to enter it once.  However, the username (with the domain prepended) has to be entered repeatedly for logons to various resources like OWA, VPN, etc.  Even if you save the credentials, usually there's a password policy so that they have to change it every so often.  If I ever have to logon to a user's machine and then log out, they typically don't know how to log themselves in.  They're so used to only having to type in their password that they don't even see that the username (which is automatically filled in with the last user logged on, unless you set a group policy) is not theirs, and if they do, sometimes they can't figure out how to enter another username.  :o
0
 
Atreyu79Author Commented:
Heh... Users...

Thanks for your time and insight.  I have what I need to get this going, and a better conceptual understanding as well.

John
0
 
Atreyu79Author Commented:
Either solution is equal... they represent different ways of accomplishing the same basic thing.  However, EE only allows me to select one.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.