Generic DNS question



  • This is what I have in place.  Does it make sense, or did I miss something.

    I have a registered domain.ca.  I use domain registrar's DNS as authoritive (I think that's the right term) updated dynamically to be my pfSense WAN interface public IP.  I don't actually have any hosts defined in their DNS, just the root (@)  It's sole purpose is so I can use name to assist in Open_VPN access from external.

    My internal windows domain is based on that, but one level deeper. it's inside.domain.ca.  My Windows DC and another Windows VM are authoritive for that inside.domain.ca, and I have DNS forwarder loaded on pfSense.  I have all three configured to forward to my ISP's DNS servers.  pfSense DNS is only used if my Windows DM's are down for some reason, and so that my pfsense can correctly resolve my inside hosts for reports / graphs etc.  I have manually created host entries for all inside hosts in the pfSense firewall.

    These internal DNS are all just for internal resolution, My internal DNS's and the Registar DNS do not know or forwards to each other.  I have no need to ever resolve hostname.inside.domain.ca from the Internet.

    I considered adding a host entry for inside.domain.ca to my resistrar's DNS and points that to my WAN public IP, but that seemed counter productive since it would be an external IP and as I said before I don't ever need to resolve anything.inside.domain.ca from external, and internally, well you always want the internal private IP!

    I wondered if I could put say the private ip of my DC in my registrars DNS as a host record for inside.domain.ca, but I am not sure how that would help anything, I am not sure if they let you use prive IP this way, and franky I am not sure I want external knowing an important internal IP address from a security perspective!

    Just looking for a sanity check here!



  • No feedback?  Either I got everything right, or I made such a big mess it's not worth fixing? :)



  • There is no need to have 'internal.domain.ca' for your internal domain to differentiate it from the external domain.  Doing that just makes your internal fqdn's unecisarily long.

    What most people do that use split DNS is simply name your internal domain the same as your external domain.  What differentiates between the result is who is the DNS server.

    For example lets say your server is 'server1.domain.ca' and it hosts some website.  Internally your PC's will have their DNS set to an internal DNS server (could be pfSense or a DNS server)  - when they lookup this site - they will get an internal address and browse to the site.  Externally you would enter server1.domain.ca in your external domain but put the WAN IP address of your router.  If an external PC types the same address you get to the correct website as the external user looks up an external DNS but gets routed through.


  • LAYER 8 Global Moderator

    For internal domains, use tld that is internal only.. I use local.lan for my local domain if you registered domain.ca - then use domain.lan for local or domain.local or domain.whatever that is not a public tld and tells you its local.


Log in to reply