Private IP range for subdomain of real domain

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
Hi, I am reconfiguring my home network, and one thing that always bothered me was my domain name setup using just foo or foo.local.

I am considering the following;
I have a publicly registered domain, with a public DNS server, let's call it foo.net.
I have a paid class 2 validation with StartSSL, so I can issue certificates for any hosts and subdomains of foo.net, e.g. *.home.foo.net and *.foo.net. (I am currently using this for Hyper-V replication over HTTPS and using the hosts file to resolve FQDN's)
I want to use home.foo.net as my home DNS domain, e.g. server-1.home.foo.net.
I want to use my own DNS server to resolve *.home.foo.net, and forward all other requests to my upstream ISP (or Google) DNS server.

To recap, the primary reason for using a public domain is to allow me to issue SSL certificates by a public registrar, i.e. no need to create and distribute my own root certificates.

Any concerns, gotchas, good idea, bad idea?

P.
 

Chuckleb

Moderator
Mar 5, 2013
1,017
331
83
Minnesota
I just did this recently when I was setting Active Directory at home. I have a main domain (foo.net) that is hosted at Dreamhost and runs all my websites, etc. I created a subdomain (ad.foo.net) that I assigned the DNS record type NS back to my home DNS (myhouse.dyndns.org). Then in the firewall of myhouse.dyndns.org I opened up port 53 and forwarded that to my AD nameserver. This now serves all records for ad.foo.net. If your hosting registrar allows you to create NS entries, this should work just fine.

My router (ddwrt using dnsmasq) required specific configurations and if you use that, I can give you a link to my wiki for further instructions.
 

Mike

Member
May 29, 2012
482
16
18
EU
Thanks.
What is the benefit to having the public internet know resolve your internal names, i.e. why did you need to allow external DNS requests to your internal DNS server?
It is stated in his question; He wants to validate issued certificates with a public CA since he has the wildcard cert. If you instead use a *.localdomain you have two domains to take care of and are not able to validate your SSL certificates without also creating a trust anchor for your self signed certs on all your hosts.
 
"His question", that was my question?

I have certs issued to *.home.foo.net by StartSSL, and only foo.net needs to be public, as the cert issuer will issue any cert for up-level domains as long as the base down-level domain has been verified.

Many enterprises use internal sub-domains that cannot resolve on the internet, they only resolve if you can connect to the internal DNS server.
So my question to "Chuckleb" is still, what is the value allowing the internet to resolve your AD host names?

P.