0

Planning a new domain and I keep seeing that best practice is to name the forest/domain after a subdomain of our publicly registered domain.

So if we own and use company.com publicly, we should use something to the effect of ad.company.com for our AD DS domain.

The reasons I'm gathering for this:

  1. To avoid split-horizing DNS
  2. To avoid the requirement for "www" to access the publicly hosted website at www.company.com.

But the problem I see with this connecting to resources differently whether users are onsite or offsite.

So unless I'm missing something, when on the LAN to connect to public "webapp-1" the users will use webapp-1.ad.company.com and when offsite it would be "webapp-1.company.com".

Do most environments use hair-pinning on the router so the users don't ever use the internal domain to access resources? Rely on the search domains?

Managing split DNS doesn't bother me and the "www" isn't a big concern.

Can someone put the pieces together and explain what I'm missing? I imagine I'm overlooking something somewhat obvious.

willWorkForCookies
  • 103
  • 2
  • Are you hosting "webapp-1" internally? – joeqwerty Aug 14 '15 at 15:09
  • Yes - we host a lot of internal services that are also publicly available. – willWorkForCookies Aug 14 '15 at 15:10
  • OK, and these services are registered in your internal AD DNS zone as well as your external public DNS zone? – joeqwerty Aug 14 '15 at 15:11
  • It isn't currently the AD DNS zone, but yea. – willWorkForCookies Aug 14 '15 at 15:13
  • OK, then they wouldn't be accessing it via `webapp-1.ad.comany.com`, they'd be accessing it via `webapp-1.company.com`, so the only thing you'd need to deal with is hairpin NAT. Any resource in the `ad.company.com` DNS zone will be answered by your AD DNS servers, anything in the `company.com` DNS zone will be answered by your public DNS servers. Your AD DNS servers authority starts and stops at `ad.company.com`. Perhaps I'm not understanding your dilemma? – joeqwerty Aug 14 '15 at 15:17
  • I guess that is the dilemma, in part: Is it best practice to deal with hairpin NAT or split-horizon DNS? The second part is, is there more to using a subdomain than I'm giving it credit for? – willWorkForCookies Aug 14 '15 at 16:17
  • What's your problem with hairpin NAT? – BlueCompute Aug 17 '15 at 12:22
  • Not sure that I have one personally. Just trying to sort out the pros/cons. If you talk to network engineers, they say NAT is stupid, just use split DNS. If you talk to AD guys, they say just use networking/NAT - always use a subdomain of your public, etc. Both sides give pretty compelling arguments. – willWorkForCookies Aug 17 '15 at 12:28
  • NAT is stupid, and I'd like to see it eradicated from the face of the earth like we did with smallpox, but that's another discussion. Remember that with IPv6 you won't need NAT, but you may still want split DNS in order to use unique local addresses on the intranet. This eliminates internal disruption if your public IPv6 is ever renumbered. – Michael Hampton Aug 24 '15 at 17:41

1 Answers1

1

I've always done split DNS, because I feel like it's less confusing for users inside the company. If you manage your internal and external DNS appropriately, it shouldn't be an issue.

Jennelle Crothers
  • 421
  • 2
  • 10