Most active commenters

    ←back to thread

    .INTERNAL is now reserved for private-use applications

    (www.icann.org)
    563 points joncfoo | 13 comments | 09 Aug 24 16:36 UTC | HN request time: 1.22s | source | bottom
    1. tetris11 ◴[09 Aug 24 20:14 UTC] No.41205044[source]
    I need a dumbed down version of this.
    replies(7): >>41205276 #>>41205281 #>>41205313 #>>41205394 #>>41205523 #>>41208597 #>>41208986 #
    2. kijeda ◴[09 Aug 24 20:45 UTC] No.41205276[source]
    https://www.ietf.org/archive/id/draft-davies-internal-tld-00...

    There are certain circumstances where private network operators may wish to use their own domain naming scheme that is not intended to be used or accessible by the global domain name system (DNS), such as within closed corporate or home networks.

    The "internal" top-level domain is reserved to provide this purpose in the DNS. Such domains will not resolve in the global DNS, but can be configured within closed networks as the network operator sees fit.

    This reservation is intended for a similar purpose that private-use IP address ranges that are set aside (e.g. [RFC1918]).

    3. pixl97 ◴[09 Aug 24 20:46 UTC] No.41205281[source]
    When setting up local networks people commonly use a top level domain like 'my.lan', 'my.network', 'my.local'. Instead of using one of these non-reserved domains that may one day end up as a TLD, it is recommended to use 'my.internal'.

    If the 'private' TLD you're using suddenly becomes real, then you can ship off data, every possibly unencrypted data and connection requests to computers you do not control.

    4. GuB-42 ◴[09 Aug 24 20:50 UTC] No.41205313[source]
    The dumbed down version is that no one will be allowed to register a .internal domain on the internet, ever. So you are free to use it for your internal network in any way you like and it will not come into conflict with registered domains and internet standard.
    5. jeroenhd ◴[09 Aug 24 21:04 UTC] No.41205394[source]
    Remember how tons of developers got surprised when Google got the .dev TLD, because they were using domains they didn't own to develop software? Well, now .internal has been reserved so developers and companies can safely use .internal domains without that happening to them.
    replies(1): >>41209725 #
    6. quectophoton ◴[09 Aug 24 21:28 UTC] No.41205523[source]
    When you need to assign an IP address for a host, the safest thing to do is to either use an IP address you own^Ware renting, or to use an IP address nobody will be able to "own" in the foreseeable future.

    This is that but for domain names. When you need to use a domain name to refer to a host, the safest thing to do is to either use a domain name you own^Ware renting, or to use a domain name nobody will be able to "own" in the foreseeable future.

    For an IP address, you might usually choose from 192.168.0.0/16 or similar reserved ranges. Your "192.168.1.1" is not the same as my "192.168.1.1", we both can use it and neither of us can "officially" own it.

    For a domain name, you can use ".internal" or other similar (if uglier) reserved TLDs. Your "nas.internal" is not the same as my "nas.internal", we both can use it and neither of us can "officially" own it.

    Since you're asking this question you might also be wondering how people can even use custom domains like that, and the answer is by self-hosting a DNS server, and using that as a DNS server instead of a public one (so you'd use your self-hosted server instead of, say, "8.8.8.8"). Then you configure your DNS server so that whenever someone requests "google.com" it does "the normal thing", but when someone requests "nas.internal" it returns whatever IP address you want.

    replies(1): >>41207041 #
    7. ninkendo ◴[10 Aug 24 03:15 UTC] No.41207041[source]
    There’s similar discussions about this in other threads, but I’ve taken to just using a real domain name (lan.<my-vanity-domain>.me) even for my house stuff, but otherwise doing something like you say above.

    The advantage is that I can run real letsencrypt certs for services in my house, which is nicer than having to agree to self signed cert warnings or otherwise having my browser nag me about plaintext passwords/etc.

    If anyone cares about the details, I run an nginx instance on port 80 through an ipv6 address which I allow through my network firewall (no NAT, so I don’t have to burn my only incoming ipv4 port 80 for this, although I block that anyway) and let certbot manage its configs. Wildcard external dns pointing AAAA records to said v6 address. The certbot vhost just renders an empty 404 for all requests except for the ACME challenges, so there’s nothing being “leaked” except generic 404 headers. I get certs dumped to my nginx config dir, then from there I use them for an internal-only reverse proxy listening on my local subnet, for all my internal stuff. The only risk is if I mess up the config and expose the RP to the internet, but so far I haven’t managed to screw it up.

    replies(1): >>41207742 #
    8. PokestarFan ◴[10 Aug 24 06:35 UTC] No.41207742{3}[source]
    Why not just use ACME DNS?
    replies(1): >>41208655 #
    9. AndyMcConachie ◴[10 Aug 24 10:40 UTC] No.41208597[source]
    .INTERNAL will never appear in the DNS root zone.
    10. ninkendo ◴[10 Aug 24 11:00 UTC] No.41208655{4}[source]
    Because this setup works fine, and I haven’t bothered getting to that level of automation with my external DNS provider.
    11. layer8 ◴[10 Aug 24 12:24 UTC] No.41208986[source]
    Read the linked https://itp.cdn.icann.org/en/files/security-and-stability-ad....
    12. soneil ◴[10 Aug 24 14:21 UTC] No.41209725[source]
    .local being used for mDNS while Microsoft were using it in AD examples/documentation is another good example.

    .internal is just admitting there's only so many times we can repeat the same mistake before we start to look silly.

    replies(1): >>41211293 #
    13. alt227 ◴[10 Aug 24 18:24 UTC] No.41211293{3}[source]
    Our internal domain is still .local and has been since Microsoft recomended we do it that way 15 years ago.