Re: [tlug] LAN domain name naming standards

[Jonathan Byrne <jq@example.com>]

On Sat, Jan 17, 2004 at 10:20:04AM +0900, Jacques Deguest wrote:

>I would like to get your advice on the following:
>I know there are various ways to define the LAN domain. Some use 
>something totally fake like company.intern, some uses tokyo.company.jp, etc.

The first one of those will work, the second one is a gamble: company.jp
is a perfectly legitimate domain name.  Indeed, it is registered to
Star Cluster Co., Ltd., of Edogawa-ku, Tokyo :-)

>What are the current standards for LAN domain name naming and what are 
>the pros and cons considering scalability (Extranet, VPN, Windows 

I don't know that there's exactly a standard for this, but there are a
lot of practices.  Personally, I favor using a legitimate FQDN (which
belongs to my company!) for all hosts.  If you want it to be easily 
recognizable as an inside network rather than outside, create a subdomain
that easily sets it apart: inside.yourcompany.co.jp, internal,yourcompany.
co.jp, uchigawa.yourcompany.co.jp, whatever.  Or it doesn't even have to
be descriptive, as long as everyone knows it's on the inside.  However,
I have always been a proponent of descriptive names.  Obfuscating the
function by choosing a non-descriptive name does little for your
security, but scales poorly as your network grows.  If you've got,
for example, 37 internal routers and they all have names like bigfoot,
hobbit, tinfoilhat, frodo, bilbo, goatse, matrix, elf, dwarf, and what
have you, it's pretty hard to remember that hobbit is the router in
your Osaka office and tinfoilhat is the router in your Kasumigaseki
office.  Give them sensibles names like gateway.osaka.internal.yourcompany.co
.jp and gateway.kasumigaseki.internal.yourcompany.co.jp and you don't have
this problem.

That gives little away to a potential attacker because 1) Your nameservers
on the outside should not be providing information on these hosts; only the
internal nameservers should know about them.  If I, sitting here on my
broadband connection in LA should do dig elf.internal.yourcompany.co.jp,
I should get an nxdomain back from your external nameserver(s).  Your
staff on the inside should get an IP address back.  Assuming it exists,
of course :-)

I don't have any online references for that in my bookmarks, but the above
is what many network admins believe, and what I have found worked
for me as a network engineer at an ISP with ~20 POPs at various points
in Japan.  There was on internal/external network split there, because
of course they were all external, but using subdomains for different
locations still applies, and the principle of a .internal.yourcompany.
co.jp subdomain for your inside networks is a sound one.

We use an internal subdomain at my current employer (that actually uses
a different domain name too, but adds to it a designator for our
internal network), and it works well.

HTH,

Jonathan
-- 
gpg --keyserver pgp.mit.edu --recv-keys ACC46EF9
Key fingerprint = E52E 8153 8F37 74AF C04D  0714 364F 540E ACC4 6EF9
I love the smell of filtered spam in the morning - it smells like victory!

Attachment: signature.asc
Description: Digital signature