question about internal and external website name same


I have read a lot article on web about internal domain and website name same is bad . some suggest using .local (example.local) another suggest using subdomain ( .

but I can’t see why is bad to have same name. here my test setup mail server

public domain :
public ip :
on the dns I add
|1 Hour|

| (Priority: 10)
|900 seconds

internal network ( /24)
IP :
hostname : server1
domain name :

on the server install bind , postfix , dovecot , clam, amavis , spamassassin.

on local dns i add similar setting but with local IP (

the reason I add to local dns is in order for mail client to find at rather . if I don’t do that , DKIM won’t sign outgoing email also certificate use is set to

from this experience. the only time I wish the local domain is different name is when I do testing using dig /amavis testkey , to retrieve/test SPF and DKIM value from external domain .but I don’t see that very important

other than small inconvenient , I really can’t see why external and internal domain name should not be same.

Because it is against the very definition of the domian name system: that it is world wide, and world wide unique.

What you see as not “other than small inconvenient” is a show stopper for many. Those articles you read try to teach you good practises. You may ignore them of course. If that gives you only a small inconveniency or if it will kill your production somewhere in the future at a very inconvenient moment in time, is up to you to decide.


Good to see you’re asking a commonly asked question which is critical to understanding how to set up DNS Domains.

The scenario you describe where you are running your own LAN DNS and create a zone that is identical to a public domain (ie registered on the Internet) is called “Split brain DNS.” You can Google that and get all sorts of guides (yes, it’s a legitimate setup for the reason you’re giving in your post) and blogs and comment.

Note that the underlying principle is the same as a particular type of hacking attack called “DNS Poisoning,” and illustrates why we have to trust not only the DNS server we’re pointing at, but also all the upstream DNS… And is why for several years now there has been an effort to tighten up security to prevent things like Man in the Middle attacks along the DNS chain of trust.

Be aware that if you do set up a Split Brain DNS, you have to start by replicating <all> the public DNS records because your local DNS becomes authoritative for the Domain to your LAN users… If you’re missing any records or the records aren’t accurate, then you’ll get name resolution problems in your LAN.

Note that there are alternatives to your mail server IP address topology (mail server accessible by both a public and a private address), off the top of my head you can instead

  • set up your mailserver in a DMZ,
  • only on a private address with a public address forwarded to your private address
  • only on a public address, then your LAN clients would need to be able to access the public address using what is called a “hairpin.”

Your other question about how or why you might want to name your Domain differently than the public domain name (ie registered on the Internet) is to keep your LAN assets private and difficult for outside hackers to identify. This type of security is based on “name spaces” where by simply grouping everything within a name space which can’t be routed on the Internet (A local Domain should always use a suffix that’s unique and is not a Top Level Domain Name (TLD)), Although “.local” has been a popular choice, it should not ever be used because some services(IIRC bonjour?) uses that name for special purposes. Use some other name like your secretary’s daughter’s cat’s toy, like “.fuzzy” (You get the idea?). A Split Brain has some risk involved for all your non-mail assets like files in a network share, the machines in your network, more. Nothing is actually and automatically compromised, but by using a routable Domain name internally, an intruder could have an easier time accessing files, using services and possibly leaking info or doing damage.

In other words, remote hackers can “touch” your machine because they know your machine’s public name, so you should pay particular attention to your machine’s security (ie hardening) and possibly place something like a proxy server in front of your machine.

You should also understand that mail domains aren’t necessarily the same as your common public domain name.
Some companies create a sub-domain and other companies might use some completely different name dedicated for mail services (might be the remnant of a merger).
So, there are a number of ways you can avoid domain name collisions or provide enhanced services, just be sure to double-check the security aspects because DNS mistakes are often have catastrophic consequences.