Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Advice on Internal and External DNS Management

    DHCP and DNS
    2
    4
    451
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      Unscathed7897
      last edited by

      Hello,

      I would like some advice on the best practice of handling internal and external DNS. I have multiple satellite offices with site-to-site vpns over wireguard connecting them.

      As an example, my domain is example.com. Each site is assigned a subdomain of the city abbreviated with a number. For example, nyc1.example.com, nyc2.example.com, etc.

      I have internal services at nyc1 that I would like the satellite offices to access. I want to keep the DNS config as simple as possible at the satellite offices and do as much as possible at nyc1.

      I would like to use subdomains for services that resolve to the underlying service and ip. So for example, service1.example.com -> service1.nyc1.example.com -> 10.0.1.1

      It seems that using BIND with CNAMEs at nyc1 would work for this.

      At the satellite offices I would like to use a domain override to point to nyc1.

      Here is the actual issue, on our public dns we have nyc1.example.com resolving to the public ip at that location, and so on for each location.

      If I forward the whole example.com domain to nyc1 then it can't resolve the ip initially to connect to the vpn.

      From what I understand, I could use specifically add every service the the domain override and only forward those. However, I don't want to do this, as I want to keep as much of the configuration at one location (nyc1).

      I could also use the internal subdomain, such as service1.internal.example.com, and forward only the internal subdomain with a domain override. However, I would rather not do this (unless it is a best practice) and keep the subdomain for the services directly under the root, such as service1.example.com.

      I could also just register another domain for the purpose of resolving the sites endpoints. If this is the best practice, then what is the recommended naming scheme?

      So with this context in mind, what is the best practice, and what do other companies do to handle this situation?

      If you guys have any recommendations for managing this or anything else, I am opening to suggestions and would love to learn more about this!

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @Unscathed7897
        last edited by johnpoz

        @Unscathed7897 give you my opinion, been working with dns for well, since there has been dns ;)

        You will have less headaches if you keep your internal domains different than your public.. Even if that is a public domain.. Say use .com externally and .net internally. But you should own both of these domains.. Don't go using example.net if you do not pub own that domain with that .tld

        From my understanding .internal is going to be a new approved for internal use, like the home.arpa domain here soon.. Don't go just making up some tld that is just not currently in the public space. I use to use just local.lan for just my home local domain. I doubt lan will ever be a public tld.. But now that they have come up with the home.arpa and soon .internal specific for internal use.. These are the good choices if you go that route.. I have switched my local.lan to home.arpa - since this is better practice for sure.

        So for your internal resources stuff could be example.internal, and nyc1.example.internal, etc. Or could be example.home.arpa and nyc1.example.home.arpa

        One way of keeping them sep is sure a sub, like your nyc1.internal.example.com - but completely different domain via the different tld works out better and easier if you ask me.

        Now you use a domain override for example.internal or example.home.arpa but example.com would use your public dns and resolve your public IPs to be able to access your vpns.

        Might be a PITA to switch over, but believe me different domains for internal vs external is cleaner solution all the way around. Now sure you could continue to use your example.com internally, and create a new public domain for your vpn connections.

        But what other service might you have where you run into a problem with internal vs external resolution?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        U 1 Reply Last reply Reply Quote 1
        • U
          Unscathed7897 @johnpoz
          last edited by

          @johnpoz Thank you for your response! Okay, so separate domains it is then!

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @Unscathed7897
            last edited by

            @Unscathed7897 if you have been using example.com a long time internally.. From a users point of view, might be better to get a new domain example.net for external use - for your vpn connections or any other stuff you might host externally or need to resolve public for.. This might be less of a learning curve for users, and for sure less to change on your network if you have been using example.com for any length of time ;)

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 1
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.