.local vs.com

P

Paul Banco

Does anyone have link from Microsoft's site on the official reason why you
should use .local vs.com. I had the link and for some reason I can not find.

Thanks
Paul
 
L

Leythos

Does anyone have link from Microsoft's site on the official reason why you
should use .local vs.com. I had the link and for some reason I can not find.
Click to expand...

I use .LAN and not .local in my internal configs. When you use a .COM
you run the risk of a real .COM being out there.
 
P

Paul Banco

Yes Agreed. I just know there is a official statement from Microsoft. There
are also other security concerns. I just need something official to show my
boss. He is not convinced :)

Thanks
Paul
 
T

Tomasz Onyszko

Paul said:
Does anyone have link from Microsoft's site on the official reason why you
should use .local vs.com. I had the link and for some reason I can not find.
Click to expand...
There is no such document's - or another word, I don't know such
document. The only disadventage of "split brain" confgiuration, if both
the domains (.local and .com are the same and it is Your domain) is that
You have to maintein two DNS confiugration and two DNS servers so it
involves a little of administrative work overhead.

If it isn't Your domain (this .com one) You have a problem that users
can try to access real .com Internet address and they will not be able
to do so, becouse Your DNS will be authoritative for this DNS namespace.

So, the decission is Yours.
 
P

Paul Banco

Thanks Tom,

I actually posted this Question before and he pointed me to a link on the MS
site that when into detail explaining the differences as well as the
security concerns. Problem is I lost the link.

Thanks
Paul
 
L

Leythos

There is no such document's - or another word, I don't know such
document. The only disadventage of "split brain" confgiuration, if both
the domains (.local and .com are the same and it is Your domain) is that
You have to maintein two DNS confiugration and two DNS servers so it
involves a little of administrative work overhead.

If it isn't Your domain (this .com one) You have a problem that users
can try to access real .com Internet address and they will not be able
to do so, becouse Your DNS will be authoritative for this DNS namespace.
Click to expand...

There is another real problem: When I first installed 2000 server, my
very first time, I used a domain named storm.com as it was a test
network to play with. After a couple days I noticed that I was getting
tons of packets from an IP address outside of my network- about 600
attempts/connects per hour. I found the contact for the external IP and
between the two of us we learned that their domain name as storm.com -
it appears that the DNS server I had setup was trying to replicate with
their real name storm.com..... I felt like a fool.

Even if you have a domain name, foobar.com, registered, there is no
reason to have your internal domain name the same, it just invites
problems. You can name your LAN foobar.lan and then setup DNS for
foobar.com so that it directs all of your internal users to the internal
IP (since your firewall should be blocking them from round-tripping
anyway).
 
P

Paul Banco

I agree with all of the statements. I Just need the official comment from MS
which is somewhere on their enormous site.

Thanks All
Paul
 
T

Tomasz Onyszko

Leythos said:
There is another real problem: When I first installed 2000 server, my
very first time, I used a domain named storm.com as it was a test
network to play with. After a couple days I noticed that I was getting
tons of packets from an IP address outside of my network- about 600
attempts/connects per hour. I found the contact for the external IP and
between the two of us we learned that their domain name as storm.com -
it appears that the DNS server I had setup was trying to replicate with
their real name storm.com..... I felt like a fool.

Even if you have a domain name, foobar.com, registered, there is no
reason to have your internal domain name the same, it just invites
problems. You can name your LAN foobar.lan and then setup DNS for
foobar.com so that it directs all of your internal users to the internal
IP (since your firewall should be blocking them from round-tripping
anyway).
Click to expand...

No, IMO if the network is well designed it is not a problem. I will
never let anybody from the Internet to connect to my internall DNS
server to pull out my zones or infromation about my domain. There isn;t
another way they know that You are running this DNS zone like You let
the internet users to pull the data from Your DNS server
 
L

Leythos

No, IMO if the network is well designed it is not a problem. I will
never let anybody from the Internet to connect to my internall DNS
server to pull out my zones or infromation about my domain. There isn;t
another way they know that You are running this DNS zone like You let
the internet users to pull the data from Your DNS server
Click to expand...

Inbound DNS was blocked, it was my server that I was seeing, contacting
their STORM.COM server address across the internet that was doing the
chatter - I had failed to see the outbound DNS traffic as important when
I was watching the inbound DNS traffic being blocked.

Once I changed the domain name on the local 2000 server it all stopped
:) Silly me.
 
T

Tomasz Onyszko

Leythos wrote:

Inbound DNS was blocked, it was my server that I was seeing, contacting
their STORM.COM server address across the internet that was doing the
chatter - I had failed to see the outbound DNS traffic as important when
I was watching the inbound DNS traffic being blocked.
Click to expand...

Oh, but it should not happend becouse Your DNS has a SOA zone pointing
to itself so it should not contact any other DNS server for the zone
information, becouse it is authoritive and primary.
 
L

Leythos

Leythos wrote:



Oh, but it should not happend becouse Your DNS has a SOA zone pointing
to itself so it should not contact any other DNS server for the zone
information, becouse it is authoritive and primary.
Click to expand...

Well, like I said, it was the very first 2000 server I had configured,
with the first DNS install I had done. Never needed a Windows based DNS
server on the lan before that.

I can assure you that it was the basic install, under a known .com name,
and it was trying to contact them and they were trying to contact it to
the tune of about 600 connects per hour (all inbound were blocked).
 
J

Joey

These are ok, but the doc just tells you to use something other than
"example.com"... not example.local vs. local.example.com

I prefer local.example.com because it looks more "normal" should a
user ever encounter it, and because it really doesn't make any
difference if everything is configured properly.

It also makes more logical sense when you lay it out into child
domains, dmz's, etc.

YESSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS.


Thank you so much

Paul
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

.local vs.com 2
Zero Upload Speed 6
How can the Admin gives permission to the User to access the internet? 0
Epson TM88V printer command ESC (s 1B 28 0
Expiration notification 4
Nexus 7 Update 3
I cant see workgroups 7
Choosing a new laptop. 7

Top