Skip to main content
Flexible Top Header

Greetings,

I’m looking for recommendations and best practices regarding DHCP-scoped DNS domain assignment across different segments of our environment.

Specifically, I’d appreciate guidance on configuring the following DHCP options:

  • Domain Name

  • DDNS Domain Name

  • Domain Search

For those of you managing medium to large environments: are you using the same values across internal LAN, Wi-Fi, Guest, and IoT networks? Or do you define zone-specific values like wifi.contoso.com, internal.contoso.com, guest.contoso.com, iot.contoso.com, etc.?

Currently, our global DHCP configuration looks like this:

  • Domain Name: contoso.com

  • DDNS Domain Name: mydomain.contoso.com

  • Domain Search: undefined

My assumption is that the Domain Name and DDNS Domain Name should ideally match—or at the very least, both should be included in the Domain Search (Option 119) if they differ.

I’m also assuming that BYOD and guest networks should ideally have their own distinct DDNS zones, separate from the Active Directory namespace, to avoid overlap or leakage.

I'm assuming you're asking about an internal network, that the domain names won't be publicly queryable. Additionally, it seems like you're asking about a greenfield.

  • Separating DNS zones is generally not useful as a security feature. Therefore, tossing all domain names including BYOD and even guests in one zone is fine.  (They should be in different subnets.)
  • Avoid split DNS. Use an internal zone name that isn't used on the Internet and never will be.
    • A good way to do this is to register a domain name, and then not use it publicly. For example, for CompanyX with a public domain apex of companyx.com you can register companyx-int.com if it is available. Then never use it publicly. Or, if you are certain you'll never need to have a domain name in Lichchtenstein, go with companyx.li, if it is available. Etc.
  • Search lists are a horrible idea. Avoid them. Your programmers should always use FQDNs.
  • There is no upside in having Option 15 (Domain name) and the DDNS domain name given out by the DHCP-server not being the same.
    • Both should be companyx.li.
    • If memory serves, in ISC-DHCP option 15 doesn't need to be set. If it isn't it is identical to the value of ddns-domainname. If that can be configured with Integrity, I don't know; I've never setup a greenfield with Integrity.

Reply


Terms & ConditionsCookie settings