Morning - just watched your latest DNS video - worked great BTY thanks! about time we can add names in Unifi! - anyway - this may be a stupid question - but i’ve rarely been afraid of showing my ignorance. When setting up domains, is it necessary to keep your outside domains and inside domains completely separate? If I own the domain abcbusiness.com (used for my Google Workspace, and WebSite etc…) - id be tempted to use that inside my LAN as well for static devices and desktops e.g. pc1.abcbusiness.com (inside) - even though I have it registered on GoDaddy and if I go to www.abcbusiness.com (outside) - I get the comapny web site. I ask this stupid question, as in the video you mention to only use domains you own and avoid using things like .local etc… (which I have tried to do for Inside). Along the same lines would it end up being problematic to use the same domain at multiple facilities for abcbusiness.com - as long as they are seperated by VPNS and in completely different subnets? Could end up possibly having something like pc1.abcbusiness.com in two different subnets connected via VPN - or would the practice be to use subdomains loc1.abcbusiness.com, loc2.abcbusiness.com? Which would end up with pc1.loc1.abcbusiness.com & pc1.loc2.abcbusiness.com? Sorry for the refresher course in DNS and Domain best practices, but ive always wondered and typcialy used something generic like .local inside and .com outside.
This is actually a really great question. Most companies that have the infrastructure to do so will run split DNS – whereby they have internal DNS servers and then DNS servers that the outside world talks to. This does create another level of management because you have to make sure if you have an external DNS entry that you have the same entry internally. I always recommend split DNS instead of doing hairpin NAT. When you use hairpin you use unnecessary resources on your firewall – and really the traffic shouldn’t hit it anyway. It used to be internally we would use .dom, .lan, .local but if you’re a Microsoft shop the best practice is to use a real top level domain that you own. Synology has made it pretty easy because you don’t have to pay licensing – but even the Windows Server licensing minimum isn’t bad – and if it’s just a DC/GC you can run it on a decent mini PC, just make sure you’re backing it up.
Think my head just imploded a tiny bit. Are there any pitfalls to using abcbusiness.com everywhere? Especially if your running pretty small setup - DHCP/DNS all handled by the UDM pro max at each location - no MS Win AD DC - no Synology - Local accounts manually administered and configured physically.
The only thing you need to make sure is that all fqdns the outside world can get to, you have records for them internally too.
Thanks so much for the information and explanation!