My router/firewall acts as the internal dns server for internal.butash.net, and butash.net just follows normal recursion to go to google domains where I host my external domain.  Any basic dd-wrt router can do this with dnsmasq, ymmv with others.  So long as whatever you're resolving against, ie your router or internal dns server separately, has the zone and is configured to be authoritative, this works just fine.  This is where people use a raspberry pi to run "pihole" software as a dns server to block ads, malware, etc spoofing bad domains much the same.

You *can* in theory just host your "internal" domain in google too, and set them to resolve your internal ip addresses, but in theory people could resolve that and see your internal ip space to surveil you if they know it's there.

-mb


On Thu, Nov 24, 2022 at 7:25 AM <techlists@phpcoderusa.com> wrote:
Hi Micheal,

Thank you for your help!!

Ok,  in this example,

host.butash.net is public - one A record and one or more CNAMEs.

host.internal.butash.net is private.

I assume you have two DNS servers?  One public and one private?  Who
gets the A record and all other hosts are CNAMEs?

Thanks!!
Keith






On 2022-11-23 12:51, Michael Butash via PLUG-discuss wrote:
> General rule of thumb is not to spoof real domains, as you'll break
> anyone using it elsewise, just about anything else is open game.  I
> can make a tld domain, .xyz (assuming this isn't a free-form tld now),
> and so long as things point at that naturally (like an internal
> resolver), it will pretend to be authoritative even if not.  I've had
> customers run internal dns under AD with something random as their
> domain, it works so long as everything using the domain knows to point
> internally first.
>
> What I do is use my domain, butash.net [2], and create an internal
> subdomain off it, internal.butash.net [3] or like, and put all my
> home/lab stuff under that as my internal dns knows to put a ns record
> for the subdomain to itself, otherwise go out to public.  No one is
> the wiser generally, and my needs are met.  Recommend the same.
>
> -mb
>
> On Wed, Nov 23, 2022 at 12:19 PM David Schwartz via PLUG-discuss
> <plug-discuss@lists.phxlinux.org> wrote:
>
>> I looked into this topic a while back and it’s a bit of a
>> quagmire.
>>
>> The general concensus I found was to use .local as your TLD as it
>> has been reserved for that purpose. There are a few more, like
>> .test, but .dev is a legitimate TLD run by Google.
>>
>> I’ve talked with several people who set up their own DNS server on
>> their intranet to respond to their own TLD so you don’t need to
>> use the hosts file on every machine. I think most companies with
>> multiple layers of firewalls take that approach because it won’t
>> resolve the URLs across the firewall — public DNS will always
>> return an error on the lookups.
>>
>> -David Schwartz
>>
>>> On Nov 23, 2022, at 9:26 AM, Keith Smith via PLUG-discuss
>>> <plug-discuss@lists.phxlinux.org> wrote:
>>>
>>> Hi,
>>>
>>> As you know I am building a "home office" lab for PHP development
>>> and testing.  I was not satisfied with the research I completed on
>>> "non-routeable" domains for a private network made up of
>>> "non-routeable" domains.
>>>
>>> In the distant past I used to use .dev for the TLD.  From what I
>>> am reading this is not a good idea.
>>>
>>> According to https://www.rfc-editor.org/rfc/rfc8375.html [1] one
>>> should use "home.arpa.".  They add a period to the end which I
>>> assume is the DNS domain name stop character when used in zone
>>> files.  Any thoughts?
>>>
>>> I will not be using DNS.  My needs are so simple I will be adding
>>> the IP and domain name in my host file, at least for now.
>>>
>>> I've read a lot about this subject.  Some say to use a registered
>>> domain with a subdomain that is on a private IP. I really do not
>>> want to commingle public and private assets on the same domain.
>>>
>>> Any feedback is much appreciated!!
>>>
>>> Thanks!!
>>> Keith
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
>
> Links:
> ------
> [1]
> https://u2206659.ct.sendgrid.net/ls/click?upn=SJEG7TF39YLaAIMD0HhsfI0lbTtxhf0B9iVXMIHo234e-2FVw-2FyhT-2BRhbwtow13oAB1bD76MUDbm-2FuyVnd7UVxqQ-3D-3DqK4N_o-2BjQxMsWfboH-2B-2BcY2qb3IYCoqvthnvff9ftZz0pNEJ2tF1jbVlVBtrlaPYq4av3GFmhIl6hDTJp0vlcEfWuD5HliN7mazq1NqkL46JEotJwwOK-2FkuKaTizng8wU1HWxnp-2FMw8BnQ6VeeHFxnCcbBMqs4qb-2Fp11-2FJtxGr4MPTS6hEGMLYpFcvZWkbxeQNcCqBF3sv-2F7D-2BuOIrW1z5JDzK2UEZktkYqoOIEHWfocWRNmw-3D
> [2] http://butash.net
> [3] http://internal.butash.net
> ---------------------------------------------------
> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> https://lists.phxlinux.org/mailman/listinfo/plug-discuss