<div><div dir="auto">Indeed AD was still relatively green in 2003, times change and so has best practices.</div><div dir="auto"><br></div><div dir="auto"><a href="https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx">https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx</a><br></div><div dir="auto"><br></div><div dir="auto">"</div><h2 style="color:rgb(42,42,42);clear:both;font-family:'Segoe UI','Lucida Grande',Verdana,Arial,Helvetica,sans-serif;font-weight:normal;line-height:1.25;font-size:26px;margin:0px;border-bottom-width:0px">Dummy DNS name vs official DNS name</h2><p style="color:rgb(42,42,42);font-family:'Segoe UI','Lucida Grande',Verdana,Arial,Helvetica,sans-serif">In the past, lots of people chose to use a dummy, unofficial TLD (top-level-domain) for their internal network, like domain.<strong>lan</strong>, domain<strong>.local</strong> of domain<strong>.internal</strong> (and also domain.internalhost)</p><p style="color:rgb(42,42,42);font-family:'Segoe UI','Lucida Grande',Verdana,Arial,Helvetica,sans-serif">But this can get you in serious trouble. Because these names are not supported by internet standards, the most important RFC on this is: <a href="http://tools.ietf.org/html/rfc2606" target="_blank" style="color:rgb(0,116,158);text-decoration:none;outline:none">RFC 2606 <img src="https://social.technet.microsoft.com/wiki/cfs-file.ashx/__key/communityserver-components-sitefiles/10_5F00_external.png" border="0" title="This link is external to TechNet Wiki. It will open in a new window." alt="Jump" style="overflow: hidden; max-width: 100%; height: auto !important;"></a>(<a href="http://tools.ietf.org/html/rfc2606" target="_blank" style="color:rgb(0,116,158);text-decoration:none;outline:none">http://tools.ietf.org/html/rfc2606 <img src="https://social.technet.microsoft.com/wiki/cfs-file.ashx/__key/communityserver-components-sitefiles/10_5F00_external.png" border="0" title="This link is external to TechNet Wiki. It will open in a new window." alt="Jump" style="overflow: hidden; max-width: 100%; height: auto !important;"> </a>) This RFC standard is very explicit on choosing domain names for private testing and documentation"</p><p style="color:rgb(42,42,42);font-family:'Segoe UI','Lucida Grande',Verdana,Arial,Helvetica,sans-serif">Microsoft sum it up very succinctly today for anyone contemplating a fresh AD domain...</p><p style="color:rgb(42,42,42);font-family:'Segoe UI','Lucida Grande',Verdana,Arial,Helvetica,sans-serif">"Microsoft strongly suggests to work with subdomains, within a publicly registered TLD domain. Check: Creating Internal and External Domains op <a href="https://technet.microsoft.com/en-us/library/cc755946(WS.10).aspx" target="_blank" style="color:rgb(0,116,158);text-decoration:none;outline:none">https://technet.microsoft.com/en-us/library/cc755946(WS.10).aspx <img src="https://social.technet.microsoft.com/wiki/cfs-file.ashx/__key/communityserver-components-sitefiles/10_5F00_external.png" border="0" title="This link is external to TechNet Wiki. It will open in a new window." alt="Jump" style="overflow: hidden; max-width: 100%; height: auto !important;"></a>"</p><br><div class="gmail_quote"><div>On Fri, 8 Sep 2017 at 00:23, James Stevens <<a href="mailto:James.Stevens@jrcs.co.uk">James.Stevens@jrcs.co.uk</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">>> It would be interesting to hear from a ROOT server operator (or two), or<br>
>> somebody who has looked at the OARC DITL data, to know what proportion<br>
>> of ROOT query traffic might be the result of TLD squatting.<br>
><br>
> ICANN commissioned a report (and followup studies) on that very topic in 2013:<br>
><br>
> <a href="https://www.icann.org/en/system/files/files/name-collision-02aug13-en.pdf" rel="noreferrer" target="_blank">https://www.icann.org/en/system/files/files/name-collision-02aug13-en.pdf</a><br>
<br>
Thanks - very useful.<br>
<br>
A quick skim suggests this was aimed very much at looking for a specific<br>
range of collisions, although that did include some Vendor defaults - as<br>
opposed to looking at the issue in a more general sense - which I<br>
understand is very difficult for all sorts of reasons.<br>
<br>
Not least because, now the internet has such a large mobile contingent,<br>
the simple typo of "." instead of SPACE is starting to be quite a big issue.<br>
<br>
<br>
<br>
<br>
"Using “Private” Top-Level Domains<br>
<br>
In Windows 200x, you can create your own top-level domains for your<br>
internal networks. It’s a very good idea, when applicable, to create<br>
top-level internal domains that do not exist outside your internal<br>
network. Using a top-level domain such as .home or .work<br>
makes it difficult for users outside your network to resolve IP<br>
addresses for computers inside your private network, since these<br>
top-level domains do not exist in the public DNS system."<br>
<br>
<br>
Well, there you have it - And that's in a training manual for MSCE -<br>
admittedly for Server 2003! At least they put "private" in inverted commas.<br>
<br>
<br>
<a href="https://books.google.co.uk/books?id=Z-zLkifsnXoC&pg=PA5&lpg=PA5&dq=%22Using+a+top-level+domain+such+as+.home+or+.work%22&source=bl&ots=JhWEfrghXs&sig=oiryNe7zKgZ7A6AId5rXrr3YaFw&hl=en&sa=X&ved=0ahUKEwiTvtzpnJPWAhXmIsAKHbTxBtMQ6AEIKDAA#v=onepage&q=%22Using%20a%20top-level%20domain%20such%20as%20.home%20or%20.work%22&f=false" rel="noreferrer" target="_blank">https://books.google.co.uk/books?id=Z-zLkifsnXoC&pg=PA5&lpg=PA5&dq=%22Using+a+top-level+domain+such+as+.home+or+.work%22&source=bl&ots=JhWEfrghXs&sig=oiryNe7zKgZ7A6AId5rXrr3YaFw&hl=en&sa=X&ved=0ahUKEwiTvtzpnJPWAhXmIsAKHbTxBtMQ6AEIKDAA#v=onepage&q=%22Using%20a%20top-level%20domain%20such%20as%20.home%20or%20.work%22&f=false</a><br>
<br>
<br>
... and, from the report itself ...<br>
<br>
"Widely adopted industry practices for the development of enterprise<br>
network naming schemes have long promoted the use of labels that are not<br>
delegated in the public DNS as top-level domain names."<br>
<br>
<br>
Given that statement, its hard not to say there is an issue.<br>
<br>
I would suggest, that wide spread rfc1918 use shows that *if* there had<br>
been an "official" way to have undelegated domains it would have been used.<br>
<br>
<br>
I suppose another solution would be to use a domain name that would be<br>
invalid in the public space, but OK for private use - like a "zz__"<br>
prefix? Would that be a viable alternative?<br>
<br>
I can't help feeling that NOTHING is truly "safe" to use, until there is<br>
something that is "officially" endorsed as safe to use.<br>
<br>
<br>
<br>
James<br>
_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operationsdns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations<br>
dns-operations</a> mailing list<br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a></blockquote></div></div>