new domain-DNS

0 pts.
Tags:
DHCP
DNS
Microsoft Windows
Networking services
Hey there, I'm looking for some direction on DNS and domain naming. I am setting up a fresh W2k3 domain. 2 DC's, 1 Exchange, and 1 Web server. All XP clients, and W2k3 servers. Our ISP takes care of DNS right now on our NT domain. We have a webserver in place that is behind firewall with NAT. ISP points 'mycompany.com' to our webserver public IP address, then I NAT it to our webserver. My question is, when I create a name for my new domain, what is the best practice for DNS? should I use domain.mycompany.com or should I just go completely separate and use something like domain.local? One reason I ask is that if we have a change in our web name-such as mycompany.com changes to newcompany.com, how will this affect my internal domain structure if I use domain.mycompany.com? thanks....and if you know of a site or article that explains this in good detail, I would appreciate that as well.
ASKED: May 25, 2005  3:09 PM
UPDATED: May 26, 2005  8:04 AM

Answer Wiki

Thanks. We'll let you know when a new response is added.

Hi
My recommendation is to use a completelly independant domain for your internal network. Something like mycompany.local or if you use mycompany.com and you own mycompany.net, use it, but it will block the domain for la later usage.

If you use a sub-domain (internal.mycompany.com) you will have to ask your ISP to delegate you this zone and to STRICLTY avoid have it accessible from Internet. If once for any reason anyone could resolve your internal.mycompany.com, then he will be able to have the best image any hacker could imagine of you LAN.

Best practice:
– use mycompany (as a top level domain) -> www.mycompany for your intranet
– use mycompany.local -> www.mycompany.local for your Intranet

Have good evening

Discuss This Question: 3  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • HumbleNetAdmin
    Lets see if I understand you correctly. Your ISP host you external DNS for you internet domain. Your ISP assigns you an IP address lets say 66.43.32.x Your domain mycompany.com resolves to this IP You have a routing device that answers for the IP 66.43.32.x Your firewall receives the request for http on IP 66.43.32.x and 66.43.32.x is NAT'd to and internal IP of lets say 191.168.1.x of your webserver. Now on you internal network I assume that you are going to set up a win2k DNS server that will resolve traffic on your internal network. You can set up your interal network with the same domain name as your internet domain except for it should have "ad" before the mycompany.com, so the name would be "ad.mycompany.com". This is not a must, but good practice. The network I manage is affiliated.org My ISP hosts my DNS and affiliated.org resolves to 66.43.36.10. My router answers for 66.43.36.10 and passess http request on to the firwall witch NATS the 66.43.36.10 to an internal network private IP for the webserver. My internal DNS has domains for ad.affiliated.org which resolves IP's for all hardware on the network. So the fully qualified domain name for webserver1 would be webserver1.ad.affiliated.org. However under my private DNS, www.affiliated.org would not resovle, however www.ad.affiliated.org would. So I have another private network DNS domain affiliated.org so that internaly I can go to www.affiliated.org, ftp.affiliated.org and so on. Keep in mind that my internal DNS and external DNS are seperate, on my network www.affiliated.org has nothing to do with www.affiliated.org from the internet and vise/versa. I could change the name of my external DNS name affiliated.org to affiliatedco.org and it would route traffic from the internet to the webserver. And internaly www.affilaited.org would still go to the webserver. On my network, when you request http for www.affiliated.org my DNS server answers authoritively for the request routing it to the correct server. When you attempt to go to something like www.msn.com, my DNS cant answer for that so it sends the traffic to the default gateway (firewall) and out to the internet where a DNS server can answer authoritivly for the request. Now if I did not have DNS for www.affiliated.org on my network then request originating from my network to www.affiliated.org would not be able to reach www.affiliated.org because of the NAT translation going on in the firewall, it will not allow traffic to go out the firewall and then loop around back through the firewall to the webserver. I am not the best at explaining things, so I hope I did not cause you more confusion then help.
    0 pointsBadges:
    report
  • Sonyfreek
    First things first: Put your Web Server in a DMZ environment. It sounds like you have it inside the firewall on your internal network according to your initial question. That's a bad idea because if they own your web server, your domain controller is not far behind... Secondly, it doesn't matter what you name your internal network because you should have a totally separate DNS (aka, split DNS). Your internal servers should not use your external servers and likewise for the external ones. The internal servers know about the inside systems and the external one knows about what's outside and in the DMZ only. Consequently, if your company changes it's name from companya to companyb, you would most likely change your domain structure to match anyway. It wouldn't matter if it were companya.com, companya.net, companya.local, etc. If it has companya associated with it, you'd probably want to change it. I like the idea of using ad.company.local because it specifies that it is both active directory and internal (of course, it's not fun to type all of the time). The external servers will be .com, .net, or .org depending on what you are using. Then you also do not have a problem resolving to your own web, ftp, etc servers from the inside domain because they would simply query the root servers and make their way back to your exernal DNS to resolve your server IP correctly. Just my $0.02. SF
    0 pointsBadges:
    report
  • Cptrelentless
    If I may add my tuppence to this, domain.local or domain.lan is a rubbish way of doing it, even in Windows. If you ever want any sort of integration in the future then rip your domain apart. Using .mydomain.com is loads better and any non-Windows techs will thank you for using DNS properly. Also, I'd recommend getting your DNS back from your IP, unless you want a load of stale records polluting your DNS for the next ten years. People who work at ISPs are in my experience incompetent buffoons when it comes to DNS.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following