?
Solved

External vs Internal Domain Name

Posted on 2015-01-22
6
Medium Priority
?
1,347 Views
Last Modified: 2015-01-25
Hello,

We are considering changing our public domain name, and investigating the possibility of having the same or different names for the public/external domain and internal Active Directory domain. The authoritative DNS servers for the public domain and Web Servers will be hosted on our site (managed internally).

What are the advantages/disadvantages of each way? Are there any security issues, when having the same name for external and internal domain? It seems that the management is much easier in that case. I guess in order for internal users to also be able to access the servers of the public domain, a DNS zone for the public domain must also be configured on the the internal DNS servers.

Please let me know your opinion.

Thanks,
0
Comment
Question by:Harrris
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 22

Assisted Solution

by:Matt V
Matt V earned 336 total points
ID: 40566762
There are many reasons not to have the same internal and external domain name.  This separation is good from a security standpoint but also makes accessing external resources on the external domain from the internal one much easier.

The .local domains exist for many of the same reasons that the private IP subnets do.  By having a non-public domain name, you limit the mixing of the inside and outside.
0
 
LVL 26

Accepted Solution

by:
DrDave242 earned 336 total points
ID: 40566764
I strongly recommend against using the same name for your internal and external domains. This typically causes more problems than it solves, and administration may end up being more complex rather than simpler. For example, one common issue that arises in that scenario is an externally hosted website that can't be reached by users in the office. (Searching EE will show you numerous examples of this.) Say your site is written to respond to the FQDN mydomain.com (without www or any other prefix, as is pretty common nowadays). External users can get to the site with no problem, as long as the public DNS records are configured correctly, but for internal users, mydomain.com will resolve to the IP address of one of your domain controllers. This is by design, and the only way around it is to recode the site so that it responds to www.mydomain.com, then add a www host record to your internal DNS. If the site is hosted on a shared-hosting server or cluster with multiple IP addresses that don't always remain the same, this can get nasty.

I also don't recommend using the same actual domain internally and externally (using one or more of your domain controllers as the authoritative DNS server for your external domain and making it externally accessible, in other words). You generally want to keep your internal domain as separate from the internet as you can, for security reasons.

What I recommend instead is making your internal domain a child of your external domain. If your external domain is named mydomain.com, give your internal domain a name like corp.mydomain.com. You don't have to actually make it a child domain from an external perspective; just name it that way. The two domains will still have two separate namespaces, and you'll be free to unite them in some fashion later if you choose.
0
 
LVL 40

Assisted Solution

by:footech
footech earned 332 total points
ID: 40566775
I suggest this as good reading.
http://blogs.msmvps.com/acefekay/2009/09/07/what-s-in-an-active-directory-dns-name-choosing-a-domain-name/

Personally, I wouldn't recommend managing your own public DNS servers unless you really know what you're doing.
I wouldn't provide internet access to any DNS that is AD-integrated.  So whether you choose the same name internally and externally or not, I would set up separate DNS servers that would be accessed by the internet vs. what you use internally.  In general, I think the current recommendation as best practice is to make your internal domain a subdomain of what you use externally.  So if you have an external/public domain of example.com, your internal could be corp.example.com.
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 38

Assisted Solution

by:Hypercat (Deb)
Hypercat (Deb) earned 332 total points
ID: 40566787
Just adding to DrDave242's comments.  I've set up domains both ways, and I actually don't find it to be that much of a problem to have the same internal and external domain name. However, if you're concerned about security issues and particularly if you're going to be hosting your external DNS zone on-site, I would agree with the comments about having 2 separate domain names. You will obviously need to have a firewall between your internal and external DNS zones anyway, for security purposes, so it makes a bit more sense to have 2 different domain names.  The ".local" terminology doesn't fly any more for the most part, so I agree the recommendation to use a "mydomain.com" and "corp.mydomain.com" type of naming convention.
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 332 total points
ID: 40566790
I also second the Public DNS comment by footech. It also makes it very challenging when you manage your own Public DNS doing DR related work.

Will.
0
 
LVL 39

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 332 total points
ID: 40566823
You will get a few opionions, each with their pros and cons. Here is what I do, you can decide for yourself which one you prefer.

I use something.domain.com. Sometimes it's corp.domain.com, sometimes it's i.domain.com (for internal). For multisite forests it's location.corp.domain.com. This allows you to have a public dns (not your own) for your website and all external subdomains. No duplicating ftp.domain.com or using an internal dns server publically. Because it's not a "fake" domain like .local or .lan, you can actually route it if you need to. You can also get 3rd party certs for domain controllers and other internal sites because they have real top level domains (dc.i.domain.com)

I chose this path about 4 years ago and have never regretted it.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question