Normally the thing just either asks for the full fqdn, or it breaks it out to host and domain. In the case with host and domain it would be

name: host
domain: sub.domain.tld or sub.other.domain.tld etc..

I'll do some experimenting. Thanks.

If you want a nudge I would use home.arpa, if you so desire to have your own flare on that then use host.something.home.arpa, I do this for a few interfaces on pfsense where I setup a host override so if I do a ptr on say my dmz, it comes back sg4860.dmz.home.arpa - now I know hey that 192.168.x IP is my dmz segment.

$ dig -x 192.168.3.253                                                                   
                                                                                         
; <<>> DiG 9.16.45 <<>> -x 192.168.3.253                                                 
;; global options: +cmd                                                                  
;; Got answer:                                                                           
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46845                                
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1                     
                                                                                         
;; OPT PSEUDOSECTION:                                                                    
; EDNS: version: 0, flags:; udp: 1232                                                    
;; QUESTION SECTION:                                                                     
;253.3.168.192.in-addr.arpa.    IN      PTR                                              
                                                                                         
;; ANSWER SECTION:                                                                       
253.3.168.192.in-addr.arpa. 1927 IN     PTR     sg4860.dmz.home.arpa.                    
                                                                                         
;; Query time: 4 msec                                                                    
;; SERVER: 192.168.3.10#53(192.168.3.10)                                                 
;; WHEN: Wed Jan 03 13:27:53 Central Standard Time 2024                                  
;; MSG SIZE  rcvd: 89                                                                    

and I get the same for my wlan, and wguest, etc. etc..

If devices didn't like subdomains, the internet wouldn't be able to function.

I did the different names for the different networks via host overrides, because sometimes I forget hey what network is my roku network vs my iot networks.. I can just do a simple dig -x for pfsense IP in whatever network 192.168.x.253 and know exactly what network I am on ;)

I haven't discovered a good way to integrate my local domain with my outside domain. Good means minimal compromises. Over the years, I've tried these approaches:

organization.com - just use the external domain internally. This has been my solution for a long time.
organization.local -> we know the issues with that.
int.organization.com -> I did this long ago, and don't recall the issues. I believe some devices don't like subdomains.
and of course, organization.arpa - which I thought was what NG/pf had gone to recommending.

This is a topic I've searched and read a lot on. I'd appreciate a nudge in the 'right' direction.

ndemarco

You'd think I would have thought to look there

Yup you would think ;)

As to internal.arpa - Its been awhile since I read the rfc for the new home.arpa, but I don't think using anyname.arpa is really recommended, home.arpa is what is recommended for your internal domain.

https://www.rfc-editor.org/rfc/rfc8375.html
Special-Use Domain 'home.arpa.'

use of otherdomain.arpa could lead to problems if the global dns is queried..

You prob would want to switch to say yourchoice.home.arpa, if you want to use something in the fqdn other than just home.arpa - I have finally migrated to home.arpa from my local.lan choice of years ago.. It was pretty painless, just had to redo some certs is all. and just in case when I redid the certs I left hostname.local.lan in there as a san.

The reason I was dragging my feet on the move was more to the fact that the old certs I had created had long life of 10 years, vs now browsers like to see less than what 398 days for life of cert. Since the certs were created before the change to that, they still allowed access without the browser complaining about the length of the life of the cert.

Thanks.