User wanting to use a .local domain to host DNS

[King, Harold Clyde (Hal)]

I'm a bit confused by a user request. I think he is trying to keep some hosts on the private side of DNS, but he wants to use a DNS name like host.sub.local. I do not know of the use of the .local TLD except in bonjure. Can anyone shed some light on the use of the .local TLD?

-- 

Hal King  - h...@utk.edu
Systems Administrator
Office of Information Technology
Systems: Business Information Systems

The University of Tennessee
103C5 Kingston Pike Building
2309 Kingston Pk. Knoxville, TN 37996
Phone: 974-1599

[Tony Finch]

King, Harold Clyde (Hal) <h...@utk.edu> wrote:

> I'm a bit confused by a user request. I think he is trying to keep some
> hosts on the private side of DNS, but he wants to use a DNS name like
> host.sub.local. I do not know of the use of the .local TLD except in
> bonjure. Can anyone shed some light on the use of the .local TLD?

Microsoft have recommended its use for sites that don't have a properly
registered domain name. http://support.microsoft.com/kb/296250

Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.

[John Miller]

Hey there Hal,

It doesn't look like .local is officially reserved
(http://tools.ietf.org/html/rfc2606), but .localdomain definitely is.

John

John Miller
Systems Engineer
Brandeis University
781-736-4619
john...@brandeis.edu

On 11/14/2012 10:02 AM, King, Harold Clyde (Hal) wrote:
> I'm a bit confused by a user request. I think he is trying to keep some
> hosts on the private side of DNS, but he wants to use a DNS name like
> host.sub.local. I do not know of the use of the .local TLD except in
> bonjure. Can anyone shed some light on the use of the .local TLD?
>

> --
> Hal King - h...@utk.edu <mailto:h...@utk.edu>

> Systems Administrator
> Office of Information Technology
> Systems: Business Information Systems
>
> The University of Tennessee
> 103C5 Kingston Pike Building
> 2309 Kingston Pk. Knoxville, TN 37996
> Phone: 974-1599
>
>

> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-...@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>

[Kevin Darcy]

The .local TLD is "reserved" for link-local names, in the context of multicast DNS ("mDNS"), however, I don't think mDNS has progressed beyond the Internet Draft stage of the IETF Standards Track process. See http://www.multicastdns.org for latest updates.

It would be imprudent to use .local for anything other mDNS, due to the possibility that mDNS might get on the Standards Track some day. Tell the user that there are billions of other "private" TLDs from which to choose.

                                                                                                                                                                                - Kevin

On 11/14/2012 10:02 AM, King, Harold Clyde (Hal) wrote:

I'm a bit confused by a user request. I think he is trying to keep some hosts on the private side of DNS, but he wants to use a DNS name like host.sub.local. I do not know of the use of the .local TLD except in bonjure. Can anyone shed some light on the use of the .local TLD?

-- 

Hal King  - h...@utk.edu

Systems Administrator
Office of Information Technology
Systems: Business Information Systems

The University of Tennessee
103C5 Kingston Pike Building
2309 Kingston Pk. Knoxville, TN 37996
Phone: 974-1599

[Novosielski, Ryan]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/14/2012 10:09 AM, Tony Finch wrote:

> King, Harold Clyde (Hal) <h...@utk.edu> wrote:
>
>> I'm a bit confused by a user request. I think he is trying to
>> keep some hosts on the private side of DNS, but he wants to use a
>> DNS name like host.sub.local. I do not know of the use of the
>> .local TLD except in bonjure. Can anyone shed some light on the
>> use of the .local TLD?
>

> Microsoft have recommended its use for sites that don't have a
> properly registered domain name.
> http://support.microsoft.com/kb/296250
>
> Tony.

I do this at home with bind on Linux, except I use .localdomain
instead of .local. It doesn't seem to treat it any differently than
anything else, and since this is just one DNS server servicing a NAT'd
network, nothing strange really CAN happen.

- --
- ---- _ _ _ _ ___ _ _ _
|Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer
|$&| |__| | | |__/ | \| _| |novo...@umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlCjtbwACgkQmb+gadEcsb5NMgCgxYAoLyaSf6wNMpq9TmprLr12
/vcAoIB2fBd6N9U0E0gPvzmLnUmdwZc4
=HXqq
-----END PGP SIGNATURE-----

[Kevin Darcy]

On 11/14/2012 10:08 AM, Tony Finch wrote:
> King, Harold Clyde (Hal) <h...@utk.edu> wrote:
>
>> I'm a bit confused by a user request. I think he is trying to keep some
>> hosts on the private side of DNS, but he wants to use a DNS name like
>> host.sub.local. I do not know of the use of the .local TLD except in
>> bonjure. Can anyone shed some light on the use of the .local TLD?
> Microsoft have recommended its use for sites that don't have a properly
> registered domain name. http://support.microsoft.com/kb/296250

I stopped reading as soon as I saw the requirement to add a NetBIOS
name, being overpowered by the stench of obsolescence. Does anyone
actually run "2000" or "2003" versions of Microsoft products any more?
Does Microsoft even support those versions?

- Kevin

[SM]

At 07:15 14-11-2012, John Miller wrote:
>It doesn't look like .local is officially reserved
>(http://tools.ietf.org/html/rfc2606), but .localdomain definitely is.

.localdomain is not reserved.

Regards,
-sm

[John Miller]

Thanks for the catch--guess I was writing a little too quickly this
morning. .localhost is reserved; .localdomain isn't.

John

[Novosielski, Ryan]

It is? I always see localhost.localdomain when it's spelled out completely. I've never seen anything .localhost (and then my guess is that if it is, it's not meant to be used except for one host by itself).

[Jim Glassford]

Just fyi,

some talk about Extensions of the Bonjoure Protocol Suite few days ago;

Date: Tuesday, November 6, 2012 9:11 AM

The mdnsext BoF is today at 15:20 US Eastern Time. The agenda is below.
Slides are available here:
https://datatracker.ietf.org/meeting/85/materials.html.
Remote participation details are here:
http://www.ietf.org/meeting/85/remote-participation.html

Thomas and I will need someone to take minutes, and a Jabber relay -
volunteers welcome!

Agenda: https://datatracker.ietf.org/meeting/85/agenda/mdnsext/

Extensions of the Bonjour Protocol Suite (mdnsext) BoF

On 11/14/2012 10:15 AM, Kevin Darcy wrote:
> The .local TLD is "reserved" for link-local names, in the context of
> multicast DNS ("mDNS"), however, I don't think mDNS has progressed
> beyond the Internet Draft stage of the IETF Standards Track process. See
> http://www.multicastdns.org for latest updates.
>
> It would be imprudent to use .local for anything other mDNS, due to the
> possibility that mDNS might get on the Standards Track some day. Tell
> the user that there are billions of other "private" TLDs from which to
> choose.
>
> - Kevin

> On 11/14/2012 10:02 AM, King, Harold Clyde (Hal) wrote:
>> I'm a bit confused by a user request. I think he is trying to keep
>> some hosts on the private side of DNS, but he wants to use a DNS name
>> like host.sub.local. I do not know of the use of the .local TLD except
>> in bonjure. Can anyone shed some light on the use of the .local TLD?
>>

>> --
>> Hal King - h...@utk.edu <mailto:h...@utk.edu>

>> Systems Administrator
>> Office of Information Technology
>> Systems: Business Information Systems
>>
>> The University of Tennessee
>> 103C5 Kingston Pike Building
>> 2309 Kingston Pk. Knoxville, TN 37996
>> Phone: 974-1599
>>
>>
>> _______________________________________________

>> Please visithttps://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

[Phil Mayers]

On 14/11/12 15:39, Kevin Darcy wrote:

> I stopped reading as soon as I saw the requirement to add a NetBIOS
> name, being overpowered by the stench of obsolescence. Does anyone

As per our recent thread, there's load of (recent, modern) stuff that
still uses NetBIOS. Sadly.

> actually run "2000" or "2003" versions of Microsoft products any more?

Yes.

> Does Microsoft even support those versions?

No. But other vendors support products which only run on those versions.

[Phil Mayers]

On 14/11/12 15:02, King, Harold Clyde (Hal) wrote:
> I'm a bit confused by a user request. I think he is trying to keep some
> hosts on the private side of DNS, but he wants to use a DNS name like
> host.sub.local. I do not know of the use of the .local TLD except in
> bonjure. Can anyone shed some light on the use of the .local TLD?

Yes - going down this route is a mistake. Don't do it. I speak from
personal experience.

First, it conflicts with a possible future standardisation of mDNS.

Second, if you ever need to bring the hosts into your "real" DNS at a
future date, you'll find you've made your life really hard, needing
DNSSEc trust anchors, forwarders/stub statements, and so on.

Pick a private sub-domain of a *real* domain that *you* own e.g. if you
are "example.com", pick:

sub.private.example.com

...and sidestep this at the planning stage. You can easily make that
zone hidden by delegating it to nameservers which are only reachable
from the appropriate places, or by using "allow-query" ACLs or similar.

[btb]

On 2012.11.14 10.02, King, Harold Clyde (Hal) wrote:
> I'm a bit confused by a user request. I think he is trying to keep some
> hosts on the private side of DNS, but he wants to use a DNS name like
> host.sub.local. I do not know of the use of the .local TLD except in
> bonjure. Can anyone shed some light on the use of the .local TLD?

this is a bad idea, plain and simple. don't do it. .local is reserved
[as others have mentioned] for mdns/zeroconf, and while there may still
be some undulation in the various documents which standardize it, it is
in active, relatively prevalent use today.

i repeatedly see demonstrable, reproducible problems which manifest in
"mysterious" symptoms to those who do not understand the difference
between dns and name resolution. while dns itself does not care in the
slightest what string a person might choose to use in a label [given of
course the constraints of character sets in general], the various name
resolution mechanisms used by a system's stub resolver/libraries risk
being short circuited [dependent on the specifics of the configuration]
by the mdns resolution mechanism if there is a .local reference.

while there are no formally established "private" tlds, the closest
thing to a consensus is to user either .site or .internal for this sort
of thing. that being said - i question the "necessity" of a special
"internal" domain. not only is it likely to generate confusion for
users, rarely is this truly necessary, with the trivial expense of
domain names [not to mention the probability of existing ownership
anyway] and mechanisms like split horizon/views.

-ben

[Sten Carlsen]

On 14/11/12 17:50, btb wrote:

On 2012.11.14 10.02, King, Harold Clyde (Hal) wrote:

I'm a bit confused by a user request. I think he is trying to keep some
hosts on the private side of DNS, but he wants to use a DNS name like
host.sub.local. I do not know of the use of the .local TLD except in
bonjure. Can anyone shed some light on the use of the .local TLD?

this is a bad idea, plain and simple.  don't do it.  .local is reserved [as others have mentioned] for mdns/zeroconf, and while there may still be some undulation in the various documents which standardize it, it is in active, relatively prevalent use today.

i repeatedly see demonstrable, reproducible problems which manifest in "mysterious" symptoms to those who do not understand the difference between dns and name resolution.  while dns itself does not care in the slightest what string a person might choose to use in a label [given of course the constraints of character sets in general], the various name resolution mechanisms used by a system's stub resolver/libraries risk being short circuited [dependent on the specifics of the configuration] by the mdns resolution mechanism if there is a .local reference.

I did this one time long ago, with the result that all MACs in the network stopped working properly, they actually use that tld for their own purposes. Once I switched to .home, everything started to work again as expected.

So as others said: Don't Do This!  -  at least if you value your sleep.

while there are no formally established "private" tlds, the closest thing to a consensus is to user either .site or .internal for this sort of thing.  that being said - i question the "necessity" of a special "internal" domain.  not only is it likely to generate confusion for users, rarely is this truly necessary, with the trivial expense of domain names [not to mention the probability of existing ownership anyway] and mechanisms like split horizon/views.

-ben

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
       "MALE BOVINE MANURE!!!"

[G.W. Haywood]

Hi there,

On Wed, 14 Nov 2012, Phil Mayers wrote:
> On 14/11/12 15:39, Kevin Darcy wrote:
>
> > I stopped reading as soon as I saw the requirement to add a NetBIOS
> > name, being overpowered by the stench of obsolescence. Does anyone
>
> As per our recent thread, there's load of (recent, modern) stuff that
> still uses NetBIOS. Sadly.
>
> > actually run "2000" or "2003" versions of Microsoft products any more?
>
> Yes.
>
> > Does Microsoft even support those versions?
>

> No. ...

That's incorrect.

Windows 2003 server products are in the 'Extended Support' phase which
runs until July 2015

http://support.microsoft.com/lifecycle/default.aspx?LN=en-gb&x=22&y=15&c2=1163

Until then security fixes are provided free, and hotfix support is
available if the customer pre-purchased an extended hotfix agreement.

It will no doubt be my misfortune to provide support long after that...

--

73,
Ged.

[Carsten Strotmann]

Phil Mayers <p.ma...@imperial.ac.uk> writes:

> On 14/11/12 15:02, King, Harold Clyde (Hal) wrote:
>> I'm a bit confused by a user request. I think he is trying to keep some
>> hosts on the private side of DNS, but he wants to use a DNS name like
>> host.sub.local. I do not know of the use of the .local TLD except in
>> bonjure. Can anyone shed some light on the use of the .local TLD?
>

> Pick a private sub-domain of a *real* domain that *you* own e.g. if
> you are "example.com", pick:
>
> sub.private.example.com

>From my experience I recommend the solution Phil is describing. While
using a private top level domain is technical possible, I have seen too
many DNS admins that do not understand the implications and end up with
a system that is a burden for the local network and as well a burden for
the root-server system in the Internet.

Look at the DSC graphs of l.root-servers.net for invalid TLDs requested
<http://dns.icann.org/cgi-bin/dsc-grapher.pl?window=86400&node=ams01&plot=qtype_vs_invalid_tld&server=L-root-Europe>

'.local" is the 4th most queried domain name (after localhost, com and
net), but it should not exist at all in the Internet (or queries should
not reach the root server system). You see "corp", "intern" and "intra"
as well in the top 20 list.

Failing to operate a private TLD correctly is causing internal data
leaking to the Internet, which could be a security risk but in all cases
is a burden on the root server system.

A private subdomain of a delegated DNS domain owned by the company
(organization, individual) is much more save, and simpler to setup, and
serves the same purpose.

-- Carsten

[Sten Carlsen]

On 15/11/12 15:39, Carsten Strotmann wrote:

Phil Mayers <p.ma...@imperial.ac.uk> writes:

On 14/11/12 15:02, King, Harold Clyde (Hal) wrote:

I'm a bit confused by a user request. I think he is trying to keep some
hosts on the private side of DNS, but he wants to use a DNS name like
host.sub.local. I do not know of the use of the .local TLD except in
bonjure. Can anyone shed some light on the use of the .local TLD?

Pick a private sub-domain of a *real* domain that *you* own e.g. if
you are "example.com", pick:

sub.private.example.com

>From my experience I recommend the solution Phil is describing. While
using a private top level domain is technical possible, I have seen too
many DNS admins that do not understand the implications and end up with
a system that is a burden for the local network and as well a burden for
the root-server system in the Internet.


A private subdomain of a delegated DNS domain owned by the company
(organization, individual) is much more save, and simpler to setup, and
serves the same purpose. 

I will certainly agree, my story about changing .local to .home to make things work again has a continuation that I eventually use the same domain inside the nat and outside, with a split DNS. It gives a bit more work for DNS administration but makes life very easy for clients, they see no difference because the names are the same but resolve to different IPs. I believe the load on the roots is not influenced by this.

If having different internal and external domains gives problems this is a possibility, if the purpose is to isolate internal vs. external hosts, use different subdomains.

Just my 0.02$

-- Carsten
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

[Novosielski, Ryan]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/15/2012 09:40 AM, Carsten Strotmann wrote:

> '.local" is the 4th most queried domain name (after localhost, com
> and net), but it should not exist at all in the Internet (or
> queries should not reach the root server system). You see "corp",
> "intern" and "intra" as well in the top 20 list.
>
> Failing to operate a private TLD correctly is causing internal
> data leaking to the Internet, which could be a security risk but in
> all cases is a burden on the root server system.

Not that I think that I'm doing this (and as I'd said, the only place
I use this is at home on a NAT'd network where there is no public DNS
at all), but what are some common ways to let this happen if you
happen to know?

- --
- ---- _ _ _ _ ___ _ _ _
|Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer
|$&| |__| | | |__/ | \| _| |novo...@umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlClBs4ACgkQmb+gadEcsb6YTwCgkg/OXg2ivDpNATEsfiz6Of+x
iJgAoJ58HdhMcUj8Zv5G1jhgLbGMtuvH
=i4ol
-----END PGP SIGNATURE-----

[btb]

On 2012.11.15 10.14, Novosielski, Ryan wrote:
>> Failing to operate a private TLD correctly is causing internal
>> data leaking to the Internet, which could be a security risk but in
>> all cases is a burden on the root server system.
>
> Not that I think that I'm doing this (and as I'd said, the only place
> I use this is at home on a NAT'd network where there is no public DNS
> at all), but what are some common ways to let this happen if you
> happen to know?

a nat'd network is a prime example of exactly the sort of place this
kind of thing happens. what it usually boils down to is non public
namespace being used [be it invented tlds or rfc1918/5735/etc address
space] with no nameserver on the local network with those zones
configured as authoritative.

for example, someone decides it would be fun to have a play domain name
on their private network, but doesn't set up a nameserver [aside from
the simple caching nameserver built into their access device [dsl/cable
modem, router, whatever]]. naturally, hosts on the network are
constantly doing dns lookups which reference this domain name, and as
such, the access device tries to resolve said hostname, likely passing
the query on to some upstream resolver. regardless of it a forwarder is
used or traditional iterative queries are used by the access device, now
the query ends up getting shopped around in some capacity to various
nameservers, all on the public internet, to see if it can be resolved.

queries for dns data which will never exist on the public internet
should never make it beyond the borders of a private network. running
an authoritative nameserver with the proper zones loaded [and bind makes
this even easier with empty zones] is what prevents this from happening.
unfortunately, it is exceedingly common, as carsten points out, and in
some contexts has become bad enough - e.g. rfc1918 arpa space - that
separate nameservers have been set up to deal with the problem [rfc 6305].

-ben

[Novosielski, Ryan]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/15/2012 11:36 AM, btb wrote:
> On 2012.11.15 10.14, Novosielski, Ryan wrote:
>>> Failing to operate a private TLD correctly is causing internal
>>> data leaking to the Internet, which could be a security risk
>>> but in all cases is a burden on the root server system.
>>
>> Not that I think that I'm doing this (and as I'd said, the only
>> place I use this is at home on a NAT'd network where there is no
>> public DNS at all), but what are some common ways to let this
>> happen if you happen to know?
>
> a nat'd network is a prime example of exactly the sort of place
> this kind of thing happens. what it usually boils down to is non
> public namespace being used [be it invented tlds or
> rfc1918/5735/etc address space] with no nameserver on the local
> network with those zones configured as authoritative.

Great, thanks, sounds like I'm covered then (I have BIND running
authoritative for my zone on the firewall/NAT machine only accepting
queries from my local 1918 addresses) and DHCP providing its address
as the nameserver.

- --
- ---- _ _ _ _ ___ _ _ _
|Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer
|$&| |__| | | |__/ | \| _| |novo...@umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlClGsIACgkQmb+gadEcsb7NKwCfUELoFIjKy1TAHFysZ0megp82
MuwAn2V+fOa3enJ6UxRTJmMEmqj3wNeg
=ygQY
-----END PGP SIGNATURE-----

[btb]

On 2012.11.15 11.39, Novosielski, Ryan wrote:
> Great, thanks, sounds like I'm covered then (I have BIND running
> authoritative for my zone on the firewall/NAT machine only accepting
> queries from my local 1918 addresses) and DHCP providing its address
> as the nameserver.

be sure that bind is also authoritative for your 1918 arpa space as well
[and you might as well just make it authoritative for all previously
mentioned address space]. accepting queries from only your private
network is good, but that alone will not prevent leakage [and leakage is
never good, dns or otherwise :) ]

-ben