I'm a fan of pfSense. If you use it too, you may noticed the recent change in recommended local domain names from previously *.local into *.home.arpa, here is the relevant redmine entry. The topic has also been discussed here and there recently, which is a good thing.


Using domain names that are not under your direct control can have some undesirable negative side effects. For this reason, many people are "advocating" to use only valid domain names under own control or as an alternative .home.arpa.
  • .home.arpa
  • Domain controlled by you & non transparent resolver
  • Domains not controlled by you
  • Domain controlled by you but transparent resolver
  • Random .xyz made up domain name

In the RFC 8375 you can Read:
'home.arpa.' is designated for non-unique use in residential home networks. [...] Queries for names ending with '.home.arpa.' are of local significance within the scope of a homenet, meaning that identical queries will result in different results from one homenet to another. In other words, a name ending in '.home.arpa.' is not globally unique.
In a nutshell, all name resolutions against domains ending in .home.arpa shall / will be resolved locally only and treated as non-unique.
So, for your own home network, the easiest thing to do instead of using .lan, .home or .mynet is to set .home.arpa as the default domain. This has the positive effect that local queries against DNS remain local and not every WPAD request needs to be sent to the upstream servers.

Why does the local Domain Name matters?

Each Network have a so called local domain, used for name resolutions of your local hosts. If you running a ActiveDirectory / DomainController this is where your Domain is set and for normal Setups those are FQDN Domains (Fully Qualified Domain Names) which are, at least for the Domain itself, resolveable in the Internet. But if you run a Network in a SOHO Enviroment or on Events / Tradefairs, LAN-Party... whatever; You mostly do not use a AD/DC for your network. In this case your Router / DHCP Server is giving out a local domain Name. Also my DHCP/Router Configs in the past used Domains like: .local, .home, .lan, .whatever...

It is important to note that the names of the local clients in the network, or special names such as WPAD for proxy control, are resolved against the domain servers of the domain used. So the lookup would be for example: client1.home leaving your local network into the Internet to maybe resolve.

Whats the Problem with .local, .lan, .home Domains?

A decade ago this wasn't a huge Problem. Most DNS Resolver just resolved existing TOP-Level Domains to the root servers or upstream servers. But the available possible Top-Level Domains on the marked changed alot and so did the behavior of many ISP DNS. They use a transparent DNS which means unkown requests will be forwarded to the upstream or root servers. Additionally many previously non existing Domain Names like .home became actual domain names. So if you use for example .home all your local request will be forwarded to the Nameserver of the specific domain. client1.example.home will cause a NS Lookup to the NS of the domain example.home. And even non existing Domains like .local will try to resolve against the root servers if the DNS is Transparent.

Beside privacy issues this is simply just a non acceptable behavior of a configuration causing uneccesary overhead and thousand of unneeded lookups a day.

Application case

For small setups like home or stuff you might set up in small offices you can definitely just use .home.arpa and not have to deal with it further.
The situation is somewhat different when you are working in larger setups and actually want to use DNS locally. Here it is recommended to use a dedicated domain for the case. But that alone is not sufficient, you have to decide if you also have the nameserver control or if it is a 3rd party service provider.

Nothing is wrong with service providers. You just have to keep in mind that the external nameserver of the domain you are using gets the name resolutions with which you disclose the properties / clients / configurations of the local network. Or if we ignore the privacy aspect; in the case of networks at e.g. large events (WIFI for 10k PAX) simply a whole lot of unccessary requests is generated.

The easiest way with an own domain would be to make sure that the local DNS resolver is not configured to resolve transparently but statically.
However, this is only an option if all locally used host names are also only defined / required locally. The case that non-local online DNS entries are used for the local network would be defeated by the static configuration and would no longer work properly.

For this scenario, it is best if the external own domain is also hosted on its own NS, to which in the best-case only the corresponding local resolvers have access. This takes care of the privacy issue. The load issue can be addressed by using a negative cache with a low TTL or a DHCP registering local hosts in the local DNS.


Follow Icon
Don’t miss out and subscribe by email:
Don't worry! NO Spam and FREE; Receive a summarizing email for new posts, easy to unsubscribe at any time.
← Other Blog Posts