[Sysadmins] Private DNS

Alan Doherty alan at alandoherty.net
Wed Nov 18 18:12:30 GMT 2009

At 12:37 18/11/2009  Wednesday, David Malone wrote:
>On Wed, Nov 18, 2009 at 12:01:13PM +0000, Philip Reynolds wrote:
>> Maybe it would be preferable to use a sub-domain of their existing
>> domain which would stop any potential future TLD conflicts. Especially
>> as we see more and more new TLDs.
>> e.g. local.domain.com or int.domain.com?
>That's what I've done in other cases, once a real domain has been

its what i recommend regularly as if it leaks at least people can report it back to your organisation
{ie host xyz.blah.local.domain.com keeps trying to helo as such to my server and you need to helo with a publicly resolvable A}
when its host xyz.domain.local   there is no way to determine is it domain.com domain.net or domain.ie that actually owns the mis-behaving host {unless they have whoid or RDNS {few this badly setup do}}

>> I'm not aware of any special TLD equivalent to RFC 1918.

well there is

but it doesn't have have any of the common bad tld's {like .local}

i'd be in favour of .local being made the  RFC standard 1918 equivalent
{due to its burnt in local use on so many M$ setups}
 if someone wants to push out an rfc to update 2606 

but i'd still not recommend its use in any situation where a real sub domain is available

{i know our caching dns servers for customer use are already configured to authoritatively respond NXHOST for any 
.local .168.192.in-addr.arpa RFC1918 and RFC2606 and other common bleed dns traffic like .lan and .adsl {as some routers seem to hand these out to hosts}
{to try and lessen our customers impact on the poor roots}
as per http://dns.measurement-factory.com/writings/wessels-netts2004-paper.pdf actually some updated version of it i found//read ages ago

we also "strongly" insist they configure their servers to use ours and not query/pollute directly
thus far no one has asked us to unblock port 53 outbound except one customer for one ip {their helpdesk guy who needed to run dig/nslookup directly against other peoples servers for test/diagnosis reasons}

>There does seem to be a need for something like this, based
>on invalid queires reaching the root servers. This is quite
>        http://stats.l.root-servers.org/cgi-bin/dsc-grapher.pl?window=604800&plot=qtype_vs_invalid_tld&server=L-root&yaxis=count

More information about the Sysadmins mailing list