Top level domain/domain suffix for private network?

Do not use an invented TLD. If ICANN were to delegate it, you would be in big trouble. Same thing if you merge with another organization which happens to use the same dummy TLD. That's why globally unique domain names are preferred.

The standard, RFC 2606 reserves names for examples, documentation, testing, but nothing for general use, and for good reasons: today, it is so easy and cheap to get a real and unique domain name that there is no good reason to use a dummy one.

So, buy iamthebest.org and use it to name your devices.

Since the previous answers to this question were written, there have been a couple of RFCs that alter the guidance somewhat. RFC 6761 discusses special-use domain names without providing specific guidance for private networks. RFC 6762 still recommends not using unregistered TLDs, but also acknowledges that there are cases where it will be done anyway. Since the commonly used .local conflicts with Multicast DNS (the main topic of the RFC), Appendix G. Private DNS Namespaces recommends the following TLDs:

• intranet
• internal
• private
• corp
• home
• lan

IANA appears to recognize both RFCs but does not (currently) incorporate the names listed in Appendix G.

In other words: you shouldn't do it. But when you decide to do it anyway, use one of the above names.

Use a subdomain of your company's registered domain for internal machines whose names you do not want available on the Internet. (Then, of course, only host those names on your internal DNS servers.) Here are some examples for the fictitious Example Corporation.

Internet-facing servers:
www.example.com
mail.example.com
dns1.example.com

Internal machines:
dc1.corp.example.com
dns1.corp.example.com
client1.corp.example.com

I used "corp" to signify that this subdomain described machines on the internal corporate network, but you could use anything you want here, such as "internal": client1.internal.example.com.

Remember, too, that DNS zones and subdomains do not have to align with your network numbering scheme. My company, for example, has 37 locations, each with its own subnet, but all locations use the same (internal) domain name. Conversely, you could have only one or a few subnets, but many peer internal domains or levels of subdomains to help you organize your machines.

There's another advantage of using an internal subdomain: cleverly using search suffixes and only hostnames instead of FQDN, you can build configuration files that work both in development, QA and production.

For example, you always use "database = dbserv1" in your configuration file.

On the development server, you set the search suffix to "dev.example.com" => database server used: dbserv1.dev.example.com

On the QA server, you set the search suffix to "qa.example.com" => database server used: dbserv1.qa.example.com

And on the production server, you set the search suffix to "example.com" => database server used: dbserv1.example.com

That way, you can use the same settings in every environment.

As always there are de jure and de facto standards.

While "nonprofit" ICANN plays in politics and money we, common people, suffer. IETF once introduced .home (RFC 7788) for personal home intranets but they don't have power over only-for-pofit IANA players and reintroduced domain under .home.arpa (RFC 8375) as IETF controls only .arpa.

Appendix G of https://www.rfc-editor.org/rfc/rfc6762 mentions:

.intranet .internal .private .corp .home .lan

for use if you really want internal TLD.

Big players (Google, Amazon) use .internal for virtual intranets:

• https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html - A private (internal) DNS hostname resolves to the private IPv4 address of the instance. The private DNS hostname takes the form ip-private-ipv4-address.ec2.internal for the us-east-1 Region, and ip-private-ipv4-address.region.compute.internal for other Regions (where private-ipv4-address is the reverse lookup IP address).
• https://cloud.google.com/compute/docs/internal-dns Zonal DNS [INSTANCE_NAME].[ZONE].c.[PROJECT_ID].internal for all organizations or standalone projects that have enabled the Compute Engine API after September 06, 2018.

Those companies can buy the Internet. So it is de facto safe to use .internal TLD internally ))

As already said, you should not use an unregistered TLD for your private network. Especially now that ICANN allows almost anybody to register new TLDs. You should then use a real domain name.

On the other side, the RFC 1918 is clear:

Indirect references to such addresses should be contained within the enterprise. Prominent examples of such references are DNS Resource Records and other information referring to internal private addresses.

So your name server should also use views to prevent the private records to be transmitted on the Internet.

We tend to consider no difference in the virtual naming of hosts from the physical - in fact, we've taken to abstracting the host configuration (software) from the physical layer.

So we purchase Hardware Items, and create Host Items on top of them (and use a simple relationship to show that in our documentation).

The purpose is that when a host exists, DNS shouldn't be the determining factor - as we've have machines move from one space to the next - for instance a low-performing webapp has no need to consume expensive CPU cycles - virtualize it, and it retains its naming scheme, everything continues to work.

An expired Internet Draft entitled Top-level Domains for Private Internets would have sanctioned the use of the 42 two-letter "user assigned code elements" as TLDs for private use.

• AA
• QM to QZ
• XA to XZ
• ZZ

So we could have used

• aaaaaa.aaaaaaaaaa.aa
• gg.qq
• tired.zz
• windows.xp

and so on.

While this draft has expired, and therefore won't become a proposed standard, at IETF-111 the dnsop group had an update on the proposal: minutes video slides1 slides2

The update ends with (emphasis my own):

Change the approach of the draft as follows:

• Recognize that User Assigned 3166 code elements are used in various ways, including private networks
• Recognize that these elements have not been delegated and are known to be used by some people to anchor private namespaces
• Do not recommend anything, do not reserve anything, no registries
• Do not promote any particular interpretation of the current standards
• Document potential future pitfalls for using these codes for private namespaces
• Empower readers to make their own decisions

So, reading between the lines, and in the spirit of permissionless innovation...

But seriously, watch the video or at least read the minutes before using any of these!

The real answer according to the IETF spec is:

.localhost
.test
.example
.invalid

I'm surprised at all the aggro answers, when real specific guidance has been there since 1999.

I cannot say if this will always bypass HSTS. That may still be an open issue.

I'm not sure this will help you, but for internal DNS inside my AWS account, I use .aws as the tld, and it seems to work perfectly fine.

I know there are some TLDs you should just flat out not use, but other than those, I don't think it's too strict.

I worked at a few larger companies, where they would use the authentication source as the TLD, meaning if it was a MS/Windows server, using Active Directory as the auth source, it would be .ad, and some others would be .ldap (Why they weren't just using the same source? or servers replicating from the same directory service? I don't know, it was like that when I got there)

Good luck