don’t use .local as an internal TLD

As this VMWare security advisory reminds us, buy a valid top level domain name for use as your internal DNS name resolution to avoid a future TLD being issued which might allow MITM or DNS poisoning attacks. Examples to definitely not use are .dev and .local which directly contradicts years of best practices. Although .localhost seems to still be OK

Via which links to . Note the VMWare advisory isn’t zero day technically but it was released today May 25 2016 if you are unsure of the relevance and ongoing threat.

So what is the best practice for internal network routing? Reasonably I suspect .priv .localhost and .local may be safe for a while but they are not best practice. From wikipedia:

We recommend that you register DNS names for the top-most internal and external DNS namespaces with an Internet registrar.

Major take away – subscribe or at least check the Internet Storm Center’s site on a regular basis.

Lastly note the anemic list of reserved TLDs from the RFC.


Note that none of those make sense to any experienced devops or a client. So you’d have to map them to a valid TLD regardless as a client can’t grok that .test will be remapped to .com on golive. Just one more thing about the Internet that is broken IMHO.