.local Bad

At work I have configured two different network segments behind our firewall, trusted" with servers that do NOT provide public Internet services, and "DMZ" with servers that DO provide public Internet services.

Back when I was training for Windows Server 2000 exams (yup, WAY back then) the recommendation at the time was to run your internal domain namespace using the ".local" suffix. So, for example if you're using "mycompany" for your internal domain, then you'd use "mycompany.local" for the fully qualified domain name (FQDN). In fact if you setup a Windows Server 2003 system for Active Directory even today, the default domain suffix is ".local". Since then things have changed.

One reason I've found is that systems now run Multicast DNS, also known as mDNS or "Zero configuration network", which is an open specification by Apple, that other systems have adopted, such as Microsofts implementation as "Universal Plug and Play". Running your own internal DNS using the ".local" namespace suffix can result in DNS resolution problems.

The other reason I've found has to do with "always on" type connectivity of devices, both inside and outside of internal networks. For example, suppose I have my Mail.app configured for my companies mail server (mail.mycompany.local) using it's internal name, when I connect outside of my network the name won't resolve correctly. If I change the name in the mail client when I'm external, then I'll have to change it back when I'm internal again.

The recommendations I've found so far on this is to use something called a "split DNS". From what I can tell this consists of running your internal namespace using the same as your external namespace. So using the previous example, my internal DNS would be "mycompany.com" instead of "mycompany.local". This internal DNS server would then point to the internal IP addresses. A second DNS server would then be setup, either within my network or outside of my network, to handle external DNS name resolution for my companies systems providing public access. This server could be my own or my ISP's DNS server.