@kobolds1
Good to see you’re asking a commonly asked question which is critical to understanding how to set up DNS Domains.
The scenario you describe where you are running your own LAN DNS and create a zone that is identical to a public domain (ie registered on the Internet) is called “Split brain DNS.” You can Google that and get all sorts of guides (yes, it’s a legitimate setup for the reason you’re giving in your post) and blogs and comment.
Note that the underlying principle is the same as a particular type of hacking attack called “DNS Poisoning,” and illustrates why we have to trust not only the DNS server we’re pointing at, but also all the upstream DNS… And is why for several years now there has been an effort to tighten up security to prevent things like Man in the Middle attacks along the DNS chain of trust.
Be aware that if you do set up a Split Brain DNS, you have to start by replicating <all> the public DNS records because your local DNS becomes authoritative for the Domain to your LAN users… If you’re missing any records or the records aren’t accurate, then you’ll get name resolution problems in your LAN.
Note that there are alternatives to your mail server IP address topology (mail server accessible by both a public and a private address), off the top of my head you can instead
- set up your mailserver in a DMZ,
- only on a private address with a public address forwarded to your private address
- only on a public address, then your LAN clients would need to be able to access the public address using what is called a “hairpin.”
Your other question about how or why you might want to name your Domain differently than the public domain name (ie registered on the Internet) is to keep your LAN assets private and difficult for outside hackers to identify. This type of security is based on “name spaces” where by simply grouping everything within a name space which can’t be routed on the Internet (A local Domain should always use a suffix that’s unique and is not a Top Level Domain Name (TLD)), Although “.local” has been a popular choice, it should not ever be used because some services(IIRC bonjour?) uses that name for special purposes. Use some other name like your secretary’s daughter’s cat’s toy, like “.fuzzy” (You get the idea?). A Split Brain has some risk involved for all your non-mail assets like files in a network share, the machines in your network, more. Nothing is actually and automatically compromised, but by using a routable Domain name internally, an intruder could have an easier time accessing files, using services and possibly leaking info or doing damage.
In other words, remote hackers can “touch” your machine because they know your machine’s public name, so you should pay particular attention to your machine’s security (ie hardening) and possibly place something like a proxy server in front of your machine.
Lastly,
You should also understand that mail domains aren’t necessarily the same as your common public domain name.
Some companies create a sub-domain and other companies might use some completely different name dedicated for mail services (might be the remnant of a merger).
So, there are a number of ways you can avoid domain name collisions or provide enhanced services, just be sure to double-check the security aspects because DNS mistakes are often have catastrophic consequences.
TSU