Using an Internal Subdomain

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The recommended configuration option for a mixed internal and external DNS namespace is to make your internal domain a subdomain of your external domain. For example, an organization that has an external namespace domain name of might use the internal namespace domain name Using an internal domain that is a subdomain of an external domain:

  • Requires you to register only one name with an Internet name authority even if you later decide to make part of your internal namespace publicly accessible.

  • Ensures that all of your internal domain names are globally unique.

  • Simplifies administration by enabling you to administer internal and external domains separately.

You can use your internal subdomain as a parent for additional child domains that you create to manage divisions within your company.

For example, to implement an internal subdomain of the external domain

  1. Configure the external DNS server with the namespace This server contains a static zone with only records for servers that are to be available publicly on the Internet. These records would typically include such servers as,, and so on.

  2. Configure the internal DNS server with the namespace Note that while the internal namespace is a subdomain of the external namespace, the internal zone is not delegated from the external zone. That is, the external server does not have a delegation record.

  3. Register all hosts in the organization's internal network in the namespace, either in the domain or in child domains within that namespace. For example, a server for the sales department might have the fully qualified domain name of

  4. Disable dynamic updates on the external server because no computers in the company's internal network should be registered in the external namespace.

  5. Configure the internal DNS server to forward Internet queries to enable internal hosts to resolve external (Internet) names. You can do this in one of two ways:

    • Configure the internal DNS server to forward to the external server, which enables recursion on the external server. In addition, you can configure the internal server as a secondary server to the external server. This enhances the security of the internal network by ensuring that the internal server never makes a query directly on the Internet.

    • Configure the internal DNS server to forward queries to the Internet service provider's DNS server. This method enhances security on the external server because it makes it possible to disable recursion on the external server.

    Instead of using forwarders, the internal DNS server may be configured simply to use the standard Internet root hints to resolve Internet names. The DNS server is configured with the list of standard root hints when the DNS server role is installed. This option is the least secure, however, because it requires the internal DNS server to be able to access DNS servers on the Internet.

See Also


Namespace planning for DNS Securing DNS deployment

Other Resources