Solved

External vs Internal Domain Name

Posted on 2015-01-22
6
444 Views
Last Modified: 2015-01-25
Hello,

We are considering changing our public domain name, and investigating the possibility of having the same or different names for the public/external domain and internal Active Directory domain. The authoritative DNS servers for the public domain and Web Servers will be hosted on our site (managed internally).

What are the advantages/disadvantages of each way? Are there any security issues, when having the same name for external and internal domain? It seems that the management is much easier in that case. I guess in order for internal users to also be able to access the servers of the public domain, a DNS zone for the public domain must also be configured on the the internal DNS servers.

Please let me know your opinion.

Thanks,
0
Comment
Question by:Harrris
6 Comments
 
LVL 22

Assisted Solution

by:Matt V
Matt V earned 84 total points
ID: 40566762
There are many reasons not to have the same internal and external domain name.  This separation is good from a security standpoint but also makes accessing external resources on the external domain from the internal one much easier.

The .local domains exist for many of the same reasons that the private IP subnets do.  By having a non-public domain name, you limit the mixing of the inside and outside.
0
 
LVL 25

Accepted Solution

by:
DrDave242 earned 84 total points
ID: 40566764
I strongly recommend against using the same name for your internal and external domains. This typically causes more problems than it solves, and administration may end up being more complex rather than simpler. For example, one common issue that arises in that scenario is an externally hosted website that can't be reached by users in the office. (Searching EE will show you numerous examples of this.) Say your site is written to respond to the FQDN mydomain.com (without www or any other prefix, as is pretty common nowadays). External users can get to the site with no problem, as long as the public DNS records are configured correctly, but for internal users, mydomain.com will resolve to the IP address of one of your domain controllers. This is by design, and the only way around it is to recode the site so that it responds to www.mydomain.com, then add a www host record to your internal DNS. If the site is hosted on a shared-hosting server or cluster with multiple IP addresses that don't always remain the same, this can get nasty.

I also don't recommend using the same actual domain internally and externally (using one or more of your domain controllers as the authoritative DNS server for your external domain and making it externally accessible, in other words). You generally want to keep your internal domain as separate from the internet as you can, for security reasons.

What I recommend instead is making your internal domain a child of your external domain. If your external domain is named mydomain.com, give your internal domain a name like corp.mydomain.com. You don't have to actually make it a child domain from an external perspective; just name it that way. The two domains will still have two separate namespaces, and you'll be free to unite them in some fashion later if you choose.
0
 
LVL 39

Assisted Solution

by:footech
footech earned 83 total points
ID: 40566775
I suggest this as good reading.
http://blogs.msmvps.com/acefekay/2009/09/07/what-s-in-an-active-directory-dns-name-choosing-a-domain-name/

Personally, I wouldn't recommend managing your own public DNS servers unless you really know what you're doing.
I wouldn't provide internet access to any DNS that is AD-integrated.  So whether you choose the same name internally and externally or not, I would set up separate DNS servers that would be accessed by the internet vs. what you use internally.  In general, I think the current recommendation as best practice is to make your internal domain a subdomain of what you use externally.  So if you have an external/public domain of example.com, your internal could be corp.example.com.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 38

Assisted Solution

by:Hypercat (Deb)
Hypercat (Deb) earned 83 total points
ID: 40566787
Just adding to DrDave242's comments.  I've set up domains both ways, and I actually don't find it to be that much of a problem to have the same internal and external domain name. However, if you're concerned about security issues and particularly if you're going to be hosting your external DNS zone on-site, I would agree with the comments about having 2 separate domain names. You will obviously need to have a firewall between your internal and external DNS zones anyway, for security purposes, so it makes a bit more sense to have 2 different domain names.  The ".local" terminology doesn't fly any more for the most part, so I agree the recommendation to use a "mydomain.com" and "corp.mydomain.com" type of naming convention.
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 83 total points
ID: 40566790
I also second the Public DNS comment by footech. It also makes it very challenging when you manage your own Public DNS doing DR related work.

Will.
0
 
LVL 38

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 83 total points
ID: 40566823
You will get a few opionions, each with their pros and cons. Here is what I do, you can decide for yourself which one you prefer.

I use something.domain.com. Sometimes it's corp.domain.com, sometimes it's i.domain.com (for internal). For multisite forests it's location.corp.domain.com. This allows you to have a public dns (not your own) for your website and all external subdomains. No duplicating ftp.domain.com or using an internal dns server publically. Because it's not a "fake" domain like .local or .lan, you can actually route it if you need to. You can also get 3rd party certs for domain controllers and other internal sites because they have real top level domains (dc.i.domain.com)

I chose this path about 4 years ago and have never regretted it.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now