Use domain names that you own and don't abuse domain names that you do not own.

You've come to this page because you've abused a domain name that you do not own, for private or internal use. This is the Frequently Given Answer to such abuse.

You do not own TLD names such as local., lan., dev., corp., or private.. They are not yours, and you thus may not use them for even private or internal purposes. You may not use subdomains of those TLDs as Active Directory domain names or forest root names, for example.

Use a domain name that you actually own, or subdomains thereof. Learn from history. Making up one's own private-use TLDs, 3 letter or otherwise, is a bad idea whose results have annoyed people and caused technical difficulties for years. Don't adopt it. The only place that one has any business making up domain names is under the domain name(s) that one actually owns.

The Domain Name System as a standard function of the system gives you a means of having arbitrary many domain names to play with. You register a domain name in the public DNS database, such as, and that gives you the right to create any (protocol legal) names that you want beneath it, such as or That is how you should reserve a portion of the DNS namespace for your private or internal use. It gets you an entire subtree to play in.

So if you want to create Active Directory domain and forest names, and have registered, then you can place them all under a subdomain such as (You could even place them directly under, using itself as your AD domain name, although this has not been best practice for many years.) If you have your Active Directory LAN set up properly, none of your domain controllers will be providing DNS service to the world outwith your LAN borders, and you'll already have "split horizon" DNS service with the prune-and-graft point for the DNS namespace tree at or some such.

There are two reasons for this, which basically boil down to "Think! What if other people did the same thing as you?":

Note that the domain names reserved for examples, invalid names, and tests by RFC2606 are not reserved for private use as actual domain names. Don't be confused on this point. Use in documentation is not use as an actual domain name. RFC2606 does not set aside any TLDs or SLDs for private use.

Every so often, people propose that domain names such as local. and pri. be reserved for private use. There have been several such proposals in the past couple of decades, some even made to the IETF. They've all foundered, for one simple reason: They aren't actually necessary and would in fact be worse than the existing mechanisms. The DNS already provides a mechanism for any company or organization to grab an entire subtree of the DNS namespace for itself. And it's a mechanism that is immune to the aforementioned problems of corporate mergers, splits, and VPNs that would plague a single reserved top-level domain name set aside for such a purpose. Registration in the public DNS avoids conflicting subtree roots. This is why the DNS has a hierarchical namespace in the first place, after all.

Further reading

© Copyright 2012,2018 Jonathan de Boyne Pollard. "Moral" rights asserted.
Permission is hereby granted to copy and to distribute this web page in its original, unmodified form as long as its last modification datestamp is preserved.