.com vs .local

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Any one know is there a security advantage using .local rather than .com, Even if let say im hosting my own website with the same domain name port.com and my domain is port.com, should i use port.local ,any INFO would help ,Thanks
 
kid said:
Any one know is there a security advantage using .local rather than .com,
Click to expand...
Even if let say im hosting my own website with the same domain name port.com
and my domain is port.com, should i use port.local ,any INFO would help
,Thanks

It might be said to be a security advantage but the point is arguable.

The security advantage (what there is) comes from the SEPARATION of
the external zone (.com) from the internal zone (.local in this case) and
the
consequent ability to separate the zones to different server sets.

This can however be done with a single name though. The concept is usually
known as "Shadow DNS" (aka, "Split DNS", or even [sic] "split brain".)

Although most people consider Shadow DNS to be the "same zone" internally
and externally, what it really amounts to is the TWO zones with the same
name
since you purposely create two Primaries (or a Primary AND an AD-integrated
set) with the specific intent to "break replication" between them.

Outside is a Primary (with secondaries) that holds ONLY external records for
resources you wish to make publicly accessible.

Inside your Primary/Master-set holds both the external records and all
internal
records -- especially the dynamic resource records registered automatically
by
DCs and other systems.

The disadvantage? Every external new record or record change must be
manually
duplicated on the internal DNS master IF you wish it to be accessible to
your
internal users -- a small amount of extra work; for most people a VERY SMALL
amount of work.
 
It might be said to be a security advantage but the point is arguable.
Click to expand...
<good stuff snipped>

Indeed it is arguable. In fact people tend to get a bit, um, heated
about it at times! <grin>

I just want to point out a third option, which is to make your
internal DNS a subdomain of the external one. This has some advantages
over the other methods, as they have over this one.

I think that the best course is to think about the options, then
choose the one you like best!

Cheers,

Cliff
 
I just want to point out a third option, which is to make your
internal DNS a subdomain of the external one. This has some advantages
over the other methods, as they have over this one.
Click to expand...

Yes, and their is a "sort of 4th" option -- depending on how you count:

Use a (technically) registered name, but choose one of your alternative
names
which don't use for any actual commercial purposes: .net, .org, .etc

ALL of these solutions share one thing in common: In essence they setup a
separate domain for the internal and the external DNS -- even the one with
the
"same name" is essentially "two domains with the same name."

THE KEY: Don't expose internal names externally, make sure the internal
machines
can resolve the external names, and so if you use the "same name" you will
need to
duplicate the external names on the internal server (set.)
 
Back
Top