Windows Server: How to properly configure a internal only subdomain

Question

Let's asume, that I own the domain "example.com" and I should configure an internal subnet for my company.

I read, that when you want to install Active Directory, DNS and DHCP in an internal network you shouldn't use a TLD like .local, .intra or .lan, because with gTLD there could be a collision with already registered TLDs.

So the best pratice would be to create a subdomain, like "intra.example.com" for internal purpose only.

But when I create a subdomain on a Windows Server, this subdomain is accessable from outside. So what can I do, that this subdomain is only accessable from inside the network.

Alternatively, I also read that the following TLDs are reserved:

.test

.example

.invalid

.localhost

Would it be a proper setup, to have a domain like "company.com" for external purpose and a domain like "company.localhost" for internal purpose?

Thank you in advance.

Answer 1

You still need perimeter security, including a firewall that does not let anything outside your LAN touch your internal services including the directory. And do not put internal resources in public DNS.

Use a domain you purchased from a public registrar. Active Directory could be corp.example.com and your public web presence www.example.com. Or maybe you grab different TLDs and your domain is example.net but your public presence is example.com.

None of those reserved TLDs are appropriate for a production service. Technically, they do not conflict with other uses, but it is poor branding to associate your organization with "testing" or "invalid".