Internal and external domains, FQDNs, and certs

I’ll try to not be long winded about this but it’s going to be a doozy anyway.
I’m just hoping to confirm or clarify my understanding of domain best practices, and then have a question about how to appropriately cert it/them.

Externally, let’s say I have mycompany.com bought and registered.
It’s got a website hosted somewhere 3rd party, and subdomains. site1.mycompamy.com, site2 etc.
And some additional dns records so I can have things like mail.mycompany.com point to our Google email suite thing, etc.

So, Internally to my business, can/should I also use mycompany.com, also with a prefix, so my internal network domain is headquarters.mycompany.com or whatever?

Meaning that all my hostnames would get pretended to that on internal dns; printer.headquarters.mycompany.com , laptop1. , yada yada.

Back in the day I remember hearing not to use .com internally because it could mess up traffic mean to route outside, and internally systems used .local. Now, I hear using .local is bad, because it can interfere with certain protocols like bonjour. I’ve also read that suggestions to use a made up thing, like .office for internal domains.

Tl;dr - is a prefix(subdomain) on an owned domain name the way to go?

AND- if they can/should be all based on mycompany.com, would a single wildcard cert for that domain be usable on both external and internal servers? (So my website is secured, and I can use the same cert to get rid of all the dumb non secure self signed browser warnings my internal services and NAS and everything else give me)

Thanks for reading! :sweat_smile:

If you have a windows domain server / Active Directory then it’s not really a good idea to set it to be the same as your web site domain. As for the sub domains, you can go wild card for the sub domains and have the primary separate.
I have a few videos on how to do that with HAProxy

1 Like

Thanks, I will definitely check these out.
Are there more specific do’s and don’t when it comes to naming domains and what top-level to use internally (like the “don’t use the external website .com” internally when using MS AD" ?