I actually use .lan for an internal domain but I guess I could use a real domain with the DNS-01 challenge and have real internal certificates. I had not thought about that until just now.
Same here. I have several domains, one is used for servers and email, 2nd for websites, 3rd for messing around (test setups) and a 4th is almost unused now, but with the demise of twitter and reddit I’m thinking of using that one for the fediverse (it’s my username in national tld).
BTW internal and external dns run on different systems and all private zones are dnssec signed. (Loved the challenge on setting that up correctly)
According to IETF, you should only use .intranet, .internal, .private, .corp, .home or .lan for your private network ( RFC 6762 Appendix G ). Using other TLDs might cause issues in the future, especially since new gTLDs seems to show up every few months or so, which can collide with the TLD you use for your local network.
A long time ago Microsoft and some teaching sources used .local in example documentation for local domains and it stuck. Like contoso.com was Microsoft’s example company. I was taught to use .local decades ago and it took a very long time to unlearn it.
A problem with the .lan TLD (maybe others from this list) is that web browsers do not consider it a TLD when you type it in the address bar, and only show you the option to search for that term in your default search engine. You have to explicitly type https:// before it, to have the option to visit the URL.
E.g type example.com in the address bar -> pressing Enter triggers going to https://example.com. Type example.lan -> pressing Enter triggers a search for example.lan using your default search engine.
Little known trick–or perhaps everyone knows it and is quietly laughing behind my back–with Chromium browsers and Firefox (and maybe Safari, I’m not sure), you can add a slash to the end of an address and it will bypass the search.
So, for example, my router on the LAN goes by the hostname “pfsense”. I can then type pfsense.lan/ into my address bar and it will bring me to the web UI, no HTTP/s needed.
For local DNS home.arpa is I think what we’re ‘supposed’ to use, but I use .lan
Only use another domain name if you actually have it registered, like myname.net or something. As a bonus you can then get a wildcard letsencrypt SSL cert for easy HTTPS.
Because of interference with existing domains. Say you set a computer on your network to mypc.google.com, that won’t work because the DNS server will lookup google.com as an external domain.
While this works for most things, you will run into issues with certain software which automatically assume that no TLD means the provided address is incorrect.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: [email protected]
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.
Rules:
Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.
No spam posting.
Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
You shouldn’t use .local for your manually defined local domain names if you plan to ever use mdns/avahi/bonjour/zeroconf.
I actually use .lan for an internal domain but I guess I could use a real domain with the DNS-01 challenge and have real internal certificates. I had not thought about that until just now.
And
.boxhas been registered as a generic TLD now, so you could run into external .box domains.Hopefully AVM gets to register
fritz.boxthen, because they’ve been setting up their customers with that as their internal domain for ages…i use my external zone name but have an internal view of the zone inside my lan so records point to local ips.
I use subdomains, i.<external domain>, w.<ext> for wifi, few others for vms and containers.
With wireguard everything just works, and wireguard overhead over wireless is negligible even on wifi6.
I agree on WireGuard. It’s clearly the winner in terms of speed for point to point VPN.
Same here. I have several domains, one is used for servers and email, 2nd for websites, 3rd for messing around (test setups) and a 4th is almost unused now, but with the demise of twitter and reddit I’m thinking of using that one for the fediverse (it’s my username in national tld).
BTW internal and external dns run on different systems and all private zones are dnssec signed. (Loved the challenge on setting that up correctly)
Same, I achieve this with Adguard DNS rewrite.
Exactly the same. I’d like to add that my devices still get a .lan TLD from the router.
Split Horizon DNS is the most seamless user experience.
Do you use NAT reflection to avoid issues with mobile devices caching the external IP address?
I’ve never experienced any issues so far, the devices should be flushing the cache on network change in theory.
Ah that’s a really good point. I will have to Google this so I can learn how it is done in iptables because I’ve only ever done it with pf on OpenBSD.
yep
my server is just
serverAccording to IETF, you should only use
.intranet,.internal,.private,.corp,.homeor.lanfor your private network ( RFC 6762 Appendix G ). Using other TLDs might cause issues in the future, especially since new gTLDs seems to show up every few months or so, which can collide with the TLD you use for your local network.The one reserved for residential usage is
home.arpa.https://www.rfc-editor.org/rfc/rfc8375.html
Interesting, so this is the latest recommendation? Which is probably why I haven’t seen it in the wild yet, at least in my circles.
Which means they probably going to
cash outrelease gTLDs for.intranet,.internal,.private,.corp,.homeand.lansoon…@redcalcium
Really? Not .local? Why is it the default on so much?
@zephyr
@dpflug @redcalcium @zephyr it is reserved for mDNS.
@sifrmoja
Ah, yep. Now that you say it. Thanks for cluing me in.
@redcalcium @zephyr
A long time ago Microsoft and some teaching sources used .local in example documentation for local domains and it stuck. Like contoso.com was Microsoft’s example company. I was taught to use .local decades ago and it took a very long time to unlearn it.
A problem with the
.lanTLD (maybe others from this list) is that web browsers do not consider it a TLD when you type it in the address bar, and only show you the option to search for that term in your default search engine. You have to explicitly typehttps://before it, to have the option to visit the URL.E.g type
example.comin the address bar -> pressing Enter triggers going tohttps://example.com. Typeexample.lan-> pressing Enter triggers a search forexample.lanusing your default search engine.Little known trick–or perhaps everyone knows it and is quietly laughing behind my back–with Chromium browsers and Firefox (and maybe Safari, I’m not sure), you can add a slash to the end of an address and it will bypass the search.
So, for example, my router on the LAN goes by the hostname “pfsense”. I can then type pfsense.lan/ into my address bar and it will bring me to the web UI, no HTTP/s needed.
You can throw a
/after to force it to recognize as a URL too.I can vouch for the fact that .local stopped working suddenly in most browsers a year or two ago, I was forced to migrate to .internal
I use either .home or an actual domain that I own (makes it easy for https certs and not having to go out of the network and back in)
*.internal.domain.namesince ssl certs are easier to get when you’re using an owned domain name.I use .lan for everything the router can resolve names for, and .local for Avahi mDNS 😈
Idk is that wrong but I made up server name tride so .tride is my local domain
For local DNS
home.arpais I think what we’re ‘supposed’ to use, but I use .lanOnly use another domain name if you actually have it registered, like
myname.netor something. As a bonus you can then get a wildcard letsencrypt SSL cert for easy HTTPS.Why should you only use ones you own, even if it’s just local network?
Because of interference with existing domains. Say you set a computer on your network to
mypc.google.com, that won’t work because the DNS server will lookup google.com as an external domain.There actually is a correct awnser: home.arpa
See https://www.ctrl.blog/entry/homenet-domain-name.html
hostname.vlan.local.lan
local.lan is the only fixed part of my fqdn’s
nothing as home does work (meaning plain hostname) works by default on openwrt dns
While this works for most things, you will run into issues with certain software which automatically assume that no TLD means the provided address is incorrect.
Usually adding a slash at the end works if the protocol is http based
I bought a .com for like $10 CAD from Cloudflare that uses a URL not linked to me.
Maybe overly paranoid, but it also makes it easy to get SSL certificates for my lab.
server.home for my part
There’s a draft rfc that defines “.home.arpa” as an internal. It looks stupid and totally misses the point, but works.
Yes, it does look stupid. I’d rather .lan just be reserved for private networks.
https://www.rfc-editor.org/rfc/rfc8375.html
Yeah, but it’s a proposal, so not really better that .lan.