What top-level domain do you use in your local network?

do not use .local, as tempting as it may be

use .home personally

2

".home.arpa" for A records.

I run my own CA and DNS, and can create vanity TLDs like: a.git, a.webmail, b.sync, etc for internal services. These are CNAMEs pointing to A records.

2

RFC 6762 defines the TLDs you can use safely in a local-only context:

*.intranet
*.internal
*.private
*.corp
*.home
*.lan

Be a selfhosting rebel, but stick to the RFCs!

2

How do you get https on those though? A lot of random stuff requires https these days.

1
- https is not a problem. But you'll need an internal CA and distributed its certificate to your hosts' trust store.
  
  1

I bought a .casa domain Using it internally, but also routing one service to the outside with that domain

1

I just use my public domain (eg domain.com) and have split DNS setup.

1

I use home.arpa as the base dns as that play very well and are the official standard, then I have a domain for my reverse proxy. Of course I can use that domain for the whole network, but I like to split it up

1

I have 2 registered tlds in .dev and .net. I split their use using .net for personal/selfhosted sites and .dev for public facing.

1

.box since it's recognized as valid TLD by many devices. Never use .local it's reserved for multicast DNS.

1

Managed to buy a really sweet domain so using that for both mail and local domain

currently I have names for my machines in my /etc/hosts files across some of my machines

A better way is to set the DHCP server to resolve local too via DNS.

So in my case proxmox.mydomain.com and proxmox both resolve to a local IP...without any need to configure IPs manually anywhere.

On opnsense it's under Unbound >> Register DHCP Leases

1

I have a registered domain and using it like this: service.machine.location.myregistereddomain.cz

You can use Let's Encrypt certs inside lan if you use a real purchased domain.

1

My TLDs are:
.lan = management/wired vlan
.mobile = primary wifi
.iot = locked down for iot/home automation devices .guest = guest wifi

The domain for each is my public .io domain.

1

I use .home for the Windows domain/internal hosts and .online for my external domain as it was cheap, and the name I wanted was available.

To access self hosted stuff with working SSL certs,.I set up split DNS. On the internal DNS sever, I have a forward lookup zone for the .online domain with static A records for .online and all the subdomains pointing at the internal address of a caddy reverse proxy.

1

Being a bit of a rebel myself. I use ONLY a tld, and where subdomains would be used, I use domain.tld

This has lead me to discover quite a few projects out there that don't parse domain names correctly, especially when you want to use an email like admin@tld and it cries because you have no dot.

1

https://datatracker.ietf.org/doc/html/draft-chapin-rfc2606bis-00

I use .host because .internal is too long to type and .local is a pita, but mostly because the browser actually tries to go there instead of some stupid search engine that tracks that kind of info and I don't have to remember to put a slash at the end.

1

I use .lan as it's shorter and IMO nicer looking than .local

1

dot lan. I don't need let'sencrypt. I just ceeate my own CA, my own (wildcard) certificates, and install the CA into all my boxes that I want or need to have certificate verification succeeding.

1

I just use my domain inside my network which is a .net

1

I've never used DNS in my local network (because it's additional burden to support, so I tried to avoid it), but couple of month ago when I needed several internal web-sites on standard http port, I've just came up with "localdomain."

Yep, it's non-standard too, but probability of it's usage of gTLD is lowest among all other variants because of it's usage in Unix world and how non-pretty it is :)

1

If DNS is a burden to support you're doing it wrong. I set it up once and haven't touched it since. Everything new that gets added "just works".

1
- It's not like DNS is a huge burden by itself, it's just approach of avoiding creation of critical services unless they become necessary. Because infrastructure around them is a burden: they needs additional firewall rules on middleboxes, monitoring, redundancy, IaC, backups etc.
  
  1

I use >!.cunt!< for my local TLD. Stands for Can't Use New Technologies from IT Crowd.

It makes it comnical when I let friends onto my wifi.

1

Get a real domain. Then you can use external stuff tonight you want.

1

.lab

1

I just just use my public domain internally with a separate sub domain assigned to each device and each service. Pihole serves the local IPs for all of those instead of querying the public servers. Anything that's meant to be internal only, doesn't have a public DNS record and isn't directly accessible from WAN.

I then host openVPN to keep my mobile devices within my network and behind pihole, able to access my internal services. The public records/domain is just for services I share with others and so that I can reach my VPN.

I've always considered 'domain.tld' to refer to the network (my lan in this case) and 'subdomain.domain.tld' to refer to the specific service/device within that network. Whether or not you can actually resolve that name and reach its service/device, plus how you're actually routed there depends on where you're connecting from (LAN/WAN/VPN).

1

I use *.mydomain.dev cos I'm a dev... Got it for public access but ended up using locally as well because it's more convenient.

1

home.(real domain name)

I can use LetsEncrypt via DNS-01 challenge, if I want to have anything accessible externally but be able to resolve to an internal IP internally then that's a piece of cake to do too as a result.

1

It.cave :p

1

In home decided to use .dot because for some reason chrome and chromium based do not automatically redirect it to https ,(at least for now) when you just type in the address in address bar, and do not redirect to search. So much more comfortable... why?.... ok, it maybe break access to all .dot sites but I never see something for me in that zone so so don't care

1

I use .test a lot in my sandbox environments

1

It depends.

Do you want to have access from outside of your network or do you want to host several services to the public (in the future)? Then I would recommend buying your own public domain. It doesn’t need to be a TLD.
Do you only want to use your services privately? Then use home.arpa as explained in the rfc 8375.

I would discourage you from using popular but misleading „local“ domains like .lan, .local, .home etc.

That is because those domains might already be available in public. So when you use .lan for example your dns-queries might be forwarded to the public never resolving your privately hosted services name. It could also „leak“ private network information like on what port you try to access a service and how that services name is.

Also you should highly evade .local which was also my mistake. Some services like MulticastDNS i.e. apple bonjour service rely on this domain. If you would use it unknown problems might be frustrating you.

So if you host everything private, go for .home.arpa.

1

I use .home as my internal network DNS name. I tend to name my servers and network based off movie-AI stuff; i.e., VIKI, Jarvis, Skynet, Mother, etc.

I have registered domains as well, I am just waiting on my fiber to finally get installed before I start messing wtih DNS records and certs.

1

Not sure this is what you want but I have a .one domain setup with local IPs.
So if one server is on 192.168.1.8 I point the domain to that and by visiting https://myserver.whatever.one I get to that server.

1

I don't self host much of anything in everyday life, but when I'm working on a LAN related project I always use .local. Android now supports MDNS, so I use it pretty much everywhere.

1

Nothing. I have all devices using tailscale DNS and I refer to things in my network by their host name directly.

1

.local

1

.space is the only answer, have to buy that though

1

Everything at my house has a TLD named after the road I live on (a founding father last name). Everything at my offsite at my dads house uses TLD named after the road he lives on (a woman's first name).

It's both arbitrary and practical. A number systems exist at both such as proxmox. truenas. pihole. plex. So it's a good way to tell them appart without having to differentiate them in the domain name.

1

I read the answers and I am wondering if I should change what I do.

I use the exact same domains and sundomains internally and externally. I simply have a DNS internally that will answer requests with local IP.

So I don't have to address my machines with a different name when I am outside or inside.

Can someone explain to me what I missed ?

1

I do this too. I don't think it's bad. Sometimes you can have weird issues. Only time I remember weirdness is I had wildcard enabled on public DNS. So if a local DNS wasn't available it would always resolve to the public IP. Can be confusing.

1

I own a domain I purchased thru cloudflare.

public facing services are say xyz.mydomain.com

internal facing is xyz.local.mydomain.com

This was internal access pipes into pihole, DNS directs it to Traefik on my server, then to the internal service. Not internet dependent.

1

i made up a not real, non-standard TLD that i use lol (.null)

I have a self signed CA that all my devices trust. Getting a real domain and just using that, with LetsEncrypt, would not have required me to explicitly trust my own CA, but hey, my system works.

and i know i know, RFCs, but it works, and doesn't break anything.

1

I use `.home.arpa` as that is the "official" use of that domain.

1

Technically every machine is supposed to have a registered TLD, even on a local network. That said, I use .lan

1

If you want to avoid problems, use TLD that are assigned for this purpose, for example .home.arpa or .home or .lan or .private etc.

Avoid using .local because its already used by mDNS.

https://en.m.wikipedia.org/wiki/Special-use_domain_name

1

I had problems with .local because it’s used for MDNS and too lazy to figure out how that works so now I just use lan but I also own a .com domain so I have started to use that more

1

.uk, but it is an actual .uk that I've registered.

1

everything under *.home.mydomain.tld is reserved for internal use.

1

I use *.home.mydomain for publicly-accessible IPs (IPv6 addresses plus anything that I've port forwarded so it's accessible externally) and *.int.mydomain for internal IPv4 addresses.

1

I have a registered domain and my lan domain is "int.registereddomain.com". This way I can use letsencrypt etc for my internal hosts (*.int.registereddomain.com via dns challenge). The actual dns for my internal domain itself is not public but static records in pihole.

1

Same here, I've got surname.com registered and use static DHCP with entries on Cloudflare for router.surname.com and fileserver.surname.com and grafana.surname.com etc. all with valid certs via letsencrypt.

1
Hmm I thought when I add tls internal to my reverse proxy rule for local domains, it does not get letsencrypt certs. But when I leave it out of the Caddyfile rule, it gets reachable from outside of the local network. How do I use your recommondation? Using a .home.lab domain locally with a DNS name resolve for every single local subdomain (dashboard.home.lab, grafana.home.lab, etc) right now with a caddy managing the outside and the inside reverse proxy work

1
Can I ask why this is done over something like hosting your own certificate authority? I’m quite new to all this DNS stuff

1
- If you own your own domain, the lifecycle toolchain to request, renew, deliver certs around a variety of cert authorities (letsencrypt is a popular one) makes it really easy, along with not having to worry about hosting an internal CA but more importantly dealing with distributing root certs to client devices that would need to trust it.
  
  I've used https://github.com/acmesh-official/acme.sh as a one-off for updating my Synology's https certificate (two lines - one fetch, one deploy - finishes in 20 seconds and can be cron'd to run monthly) and Caddy natively handles the entire lifecycle for me (i use cloudflare for my domain registrar which makes it both free and a snap to handle TXT challenge requests).
  
  Certbot is another popular one.
  
  1
I want to do this, but I have no clue how to set it up on Asustor AS6706T. I’ve got a bunch of docker apps up and running and I’d like to simplify stuff with subdomains and better ssl. The whole self signed stuff is just a whole project in itself to work right.

1
I did something similar, though I've done a slight bifurcation-

*.i.domain.tld -> the actual internal host/IP (internal dns is adguard)

*.domain.tld all resolve internally using a DNS rewrite to a keepalived VIP that's shared between a few hosts serving caddy that handle automatic wildcard cert renewals / SSL / reverse proxy.

While I talk to things via *.domain.tld, a lot of my other services also talk to each other through this method - having some degree of reverse proxy HA was kinda necessary after introducing this sort of dependency.

1

.damo

1

I Just use a .de tld and for all my sites a *.mysite.mydomain.de.

Ssl certs from cloudflare with a dns challenge for internal use.

1

I own both mydomain.com as well as mydomain.me. I use the *.me as my local domain and *.com for the real world.

1

I use homelab..org

1

.app is suuuper cheap even for three letter domains. I picked one up for pennies with three letters that mean something to me and my partner and use a pair of redundanct piholes to serve local DNS for that domain. Externally it’s hosted on DigitalOcean for stuff I want external.

1

.com lol. I got a 6 letter domain that makes for me. I should check out .local though. I could .com for my website and .local for my home network using the same domain name.

1

I use .lan for anything local and my public domain is .net for anything publicly hosted.

1

I own lastname.me and lastname.dev and everything public is lastname.me and everything local ist lastname.dev. I don't have a VPS anymore so the .me domain is a bit useless and only relevant for emails these days but I'd have something like nc.lastname.me for my public next cloud instance and docs.lastname.dev for my paperless instance that I don't want to have on somebody else's machine.

1

Why use a different domain for local as external?

1

I use a custom domain for everything....email, internal dns, external (cf tunnels), and my public websites. I use to use AWS Route 53 for everything because of work, but moved to CF because it's free and much easier to setup and manage.

For local devices I use *.local.domaingoeshere.com (wildcart cert), issued by cloudlfare. In retrospec I should have used *.int.domain.com as it would be less typing...but everything is categorized and bookmarked anyway.

1

Why not use *.domain.com ? If you own the domain you’ll never have a conflict that way

1

maybe not directly answer for you, but I just literally bought 4 domains for 3 euro per year (renews at the same price!) 5 minutes ago :D.

The catch - it has to be 9 numbers.xyz (see https://gen.xyz/1111b for details).

1

I mean.... I use xtremeownage.com

But, ya know... I own it. Although, I use a few subdomains for my home-network, with a split-horizon DNS setup.

1

i have owned a .com since 1997. i use that.

1

I just run (shall we add the word) “proper” split DNS with the same names for anything publicly exposed, internal. And not everything is publicly exposed. It’s just a standard registered TLD.

It’s interesting how few responses here mention this. Why memorize two or more names for the same box/service when DNS easily handles it?

DHCP clients set their own internal DNS names internally or are forced at the DHCP server. Static addresses via MAC as desired.

They also get handed all the usual SRV records and special record types to find services, like the time server and such.

Truly interesting that split DNS isn’t popular amongst the self hosting crowd.

Type the name of the “thing” after setting it up correctly and you’ll be handed an appropriate address to reach it, no matter which of my networks you’re on.

If you’re a dhcp client you’ll have the proper search domain handed right to you too, no need to even type the domain.tld at all. Just the hostname.

1

GDI, I have been using internal.registereddomain.com which is 5 wasted characters...

1

I have an io domain - mylastname.io

AD domain is home.mylastname.io

A place I put most apps running on my Kubernetes cluster is *.apps.mylastname.io

1

I own both `mydomain.com` and `mydomain.net`, and the `.net` is all my internal services (eg `homeassistant.mydomain.net`). The public `.com` domain I use exclusively for email and a static site.

I had some old employer with a similar segmentation so it just made sense to me ¯\_(ツ)_/¯

1

For those using a pihole for .internal.example.com, how do you deal with DNSSEC on example.com? Or do you just not?

1

.local is mDNS - and I'm using that, saves me so much hassle with split-horizon issues etc.

I also use global DNS for local servers (AAAA records on my own domain), again, this eliminates split-horizon issues. Life is too short to deal with the hassle of running your own DNS server.

1

I've got a .com for my internal only services with tls and a .pro for my external facing services. I could probably throw them all on one but because legacy (I didn't think things through) I have two

1

*.oob.mydomain.tld

1

A customer of mine chose for his own domains.. and it was his mistake that he wanted specific "cool top level domains" in his network for his factory, storage facility and vehicles on the road that connected with wifi at home.

He decided, and I realized immediately that this would be a bad idea (*cough* .. no I didn't.. but lets pretend I did), that he wanted something that looked like;

company.fabriek (fabrication)
company.waren (warehousing)
company.vrachtwagen (trucks)

I think he adopted the idea because I had a singular setup at my office/shop where my synology, placed in a 8U rack in the back on the 4th flloor with a hostname.. just a hostname "I.am.on.the.forth.floor.in.the.back". Just a singular name.. I remember him laughing when he found the server where the hostname said it was.

So, the systems (electronic toolbag for in the trucks) installed in the trucks would only work a 100% if connected to the wifi at home base. All interfaces with any relation to the outside world had to be brought within the lan to be able to get to warehouse data, and the fabrication department (his pride and joy) just did what it always did.. it fabricated stuff. All choices were made motivated by the path of least resistance.

Yeah.. a lot of stuff didn't work as planned. Mainly connectivity things that did not work as expected, misconfiguration of DHCP servers, VPN clients and all other types of "employee owned" gear that were unable to resolve the funky domains.

I started to protest, and explain why what I did was funny, but what he was doing was foolish.. especially after I gave him a rough idea of what was neede to be done. I proposed a split dns solution with a real domain, even that would have been easier and less intrusive to work on or fix things in for sure.. but it looked "less cool" according to his lordship. Customer is king is a stupid concept, but if the customer claims to be King, his highness can pay for the time required to serve him.

So..

Pick a singular host, get a real domain and setup a split DNS environment (easiest and funnest imo).. but if you don't care (and why should you :)) pick something fun and cool that makes sense to use for you. All our suggestions are pure personal preference in the end :)

1

lastname. systems

I used to own lastname.cloud and foolishly let that expire. Its one of my biggest regrets.

1