RFC 6762 defines the TLDs you can use safely in a local-only context:
*.intranet
*.internal
*.private
*.corp
*.home
*.lan
Be a selfhosting rebel, but stick to the RFCs!
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
For Example
We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.
Useful Lists
RFC 6762 defines the TLDs you can use safely in a local-only context:
*.intranet
*.internal
*.private
*.corp
*.home
*.lan
Be a selfhosting rebel, but stick to the RFCs!
".home.arpa" for A records.
I run my own CA and DNS, and can create vanity TLDs like: a.git, a.webmail, b.sync, etc for internal services. These are CNAMEs pointing to A records.
do not use .local
, as tempting as it may be
use .home
personally
Being a bit of a rebel myself. I use ONLY a tld, and where subdomains would be used, I use domain.tld
This has lead me to discover quite a few projects out there that don't parse domain names correctly, especially when you want to use an email like admin@tld and it cries because you have no dot.
I bought a .casa domain Using it internally, but also routing one service to the outside with that domain
https://datatracker.ietf.org/doc/html/draft-chapin-rfc2606bis-00
I use .host because .internal is too long to type and .local is a pita, but mostly because the browser actually tries to go there instead of some stupid search engine that tracks that kind of info and I don't have to remember to put a slash at the end.
I use `.home.arpa` as that is the "official" use of that domain.
My TLDs are:
.lan = management/wired vlan
.mobile = primary wifi
.iot = locked down for iot/home automation devices
.guest = guest wifi
The domain for each is my public .io domain.
.local
is mDNS - and I'm using that, saves me so much hassle with split-horizon issues etc.
I also use global DNS for local servers (AAAA records on my own domain), again, this eliminates split-horizon issues. Life is too short to deal with the hassle of running your own DNS server.
I had problems with .local because it’s used for MDNS and too lazy to figure out how that works so now I just use lan but I also own a .com domain so I have started to use that more
.damo
I've got a .com for my internal only services with tls and a .pro for my external facing services. I could probably throw them all on one but because legacy (I didn't think things through) I have two
.app is suuuper cheap even for three letter domains. I picked one up for pennies with three letters that mean something to me and my partner and use a pair of redundanct piholes to serve local DNS for that domain. Externally it’s hosted on DigitalOcean for stuff I want external.
I use a custom domain for everything....email, internal dns, external (cf tunnels), and my public websites. I use to use AWS Route 53 for everything because of work, but moved to CF because it's free and much easier to setup and manage.
For local devices I use *.local.domaingoeshere.com (wildcart cert), issued by cloudlfare. In retrospec I should have used *.int.domain.com as it would be less typing...but everything is categorized and bookmarked anyway.
Why not use *.domain.com ? If you own the domain you’ll never have a conflict that way
maybe not directly answer for you, but I just literally bought 4 domains for 3 euro per year (renews at the same price!) 5 minutes ago :D.
The catch - it has to be 9 numbers.xyz (see https://gen.xyz/1111b for details).
GDI, I have been using internal.registereddomain.com which is 5 wasted characters...
I have an io domain - mylastname.io
AD domain is home.mylastname.io
A place I put most apps running on my Kubernetes cluster is *.apps.mylastname.io
For those using a pihole for .internal.example.com, how do you deal with DNSSEC on example.com? Or do you just not?
Not sure this is what you want but I have a .one domain setup with local IPs.
So if one server is on 192.168.1.8 I point the domain to that and by visiting https://myserver.whatever.one I get to that server.
I own both mydomain.com as well as mydomain.me. I use the *.me as my local domain and *.com for the real world.
I mean.... I use xtremeownage.com
But, ya know... I own it. Although, I use a few subdomains for my home-network, with a split-horizon DNS setup.
i have owned a .com since 1997. i use that.
everything under *.home.mydomain.tld is reserved for internal use.
I use *.home.mydomain for publicly-accessible IPs (IPv6 addresses plus anything that I've port forwarded so it's accessible externally) and *.int.mydomain for internal IPv4 addresses.
.uk, but it is an actual .uk that I've registered.
Technically every machine is supposed to have a registered TLD, even on a local network. That said, I use .lan
I have a registered domain and my lan domain is "int.registereddomain.com". This way I can use letsencrypt etc for my internal hosts (*.int.registereddomain.com via dns challenge). The actual dns for my internal domain itself is not public but static records in pihole.
I use .lan for anything local and my public domain is .net for anything publicly hosted.
If you want to avoid problems, use TLD that are assigned for this purpose, for example .home.arpa
or .home
or .lan
or .private
etc.
Avoid using .local
because its already used by mDNS.
I Just use a .de tld and for all my sites a *.mysite.mydomain.de.
Ssl certs from cloudflare with a dns challenge for internal use.
I use homelab..org
Nothing. I have all devices using tailscale DNS and I refer to things in my network by their host name directly.
.com lol. I got a 6 letter domain that makes for me. I should check out .local though. I could .com for my website and .local for my home network using the same domain name.
I use >!.cunt!< for my local TLD. Stands for Can't Use New Technologies from IT Crowd.
It makes it comnical when I let friends onto my wifi.
I just use my domain inside my network which is a .net
*.oob.mydomain.tld
I've never used DNS in my local network (because it's additional burden to support, so I tried to avoid it), but couple of month ago when I needed several internal web-sites on standard http port, I've just came up with "localdomain."
Yep, it's non-standard too, but probability of it's usage of gTLD is lowest among all other variants because of it's usage in Unix world and how non-pretty it is :)
I own lastname.me and lastname.dev and everything public is lastname.me and everything local ist lastname.dev. I don't have a VPS anymore so the .me domain is a bit useless and only relevant for emails these days but I'd have something like nc.lastname.me for my public next cloud instance and docs.lastname.dev for my paperless instance that I don't want to have on somebody else's machine.
Why use a different domain for local as external?
lastname. systems
I used to own lastname.cloud and foolishly let that expire. Its one of my biggest regrets.
A customer of mine chose for his own domains.. and it was his mistake that he wanted specific "cool top level domains" in his network for his factory, storage facility and vehicles on the road that connected with wifi at home.
He decided, and I realized immediately that this would be a bad idea (*cough* .. no I didn't.. but lets pretend I did), that he wanted something that looked like;
I think he adopted the idea because I had a singular setup at my office/shop where my synology, placed in a 8U rack in the back on the 4th flloor with a hostname.. just a hostname "I.am.on.the.forth.floor.in.the.back". Just a singular name.. I remember him laughing when he found the server where the hostname said it was.
So, the systems (electronic toolbag for in the trucks) installed in the trucks would only work a 100% if connected to the wifi at home base. All interfaces with any relation to the outside world had to be brought within the lan to be able to get to warehouse data, and the fabrication department (his pride and joy) just did what it always did.. it fabricated stuff. All choices were made motivated by the path of least resistance.
Yeah.. a lot of stuff didn't work as planned. Mainly connectivity things that did not work as expected, misconfiguration of DHCP servers, VPN clients and all other types of "employee owned" gear that were unable to resolve the funky domains.
I started to protest, and explain why what I did was funny, but what he was doing was foolish.. especially after I gave him a rough idea of what was neede to be done. I proposed a split dns solution with a real domain, even that would have been easier and less intrusive to work on or fix things in for sure.. but it looked "less cool" according to his lordship. Customer is king is a stupid concept, but if the customer claims to be King, his highness can pay for the time required to serve him.
So..
Pick a singular host, get a real domain and setup a split DNS environment (easiest and funnest imo).. but if you don't care (and why should you :)) pick something fun and cool that makes sense to use for you. All our suggestions are pure personal preference in the end :)
I own both `mydomain.com` and `mydomain.net`, and the `.net` is all my internal services (eg `homeassistant.mydomain.net`). The public `.com` domain I use exclusively for email and a static site.
I had some old employer with a similar segmentation so it just made sense to me ¯\_(ツ)_/¯
I have 2 registered tlds in .dev and .net. I split their use using .net for personal/selfhosted sites and .dev for public facing.
.lab
I use .lan as it's shorter and IMO nicer looking than .local
I use home.arpa as the base dns as that play very well and are the official standard, then I have a domain for my reverse proxy. Of course I can use that domain for the whole network, but I like to split it up
i made up a not real, non-standard TLD that i use lol (.null)
I have a self signed CA that all my devices trust. Getting a real domain and just using that, with LetsEncrypt, would not have required me to explicitly trust my own CA, but hey, my system works.
and i know i know, RFCs, but it works, and doesn't break anything.