The organization that governs domain names on the internet, ICANN (Internet Corporation for Assigned Names and Numbers), is proposing a new type of top level domain (TLD) specifically designed for internal use within organizations. Unlike the familiar .com or .org suffixes, this new TLD, called “.INTERNAL,” would never be accessible from the public internet, similar to how private IP addresses (like 192.168.x.x) function. It’s designed to streamline internal network management and enhance security.
The need for a dedicated Top Level Domain for internal networks
This proposal stems from concerns raised in 2020 by ICANN’s security committee, the SSAC (Security and Stability Advisory Committee). They noted that companies and device manufacturers often create their own unofficial domain extensions (like .local or .internal) for internal use. These unofficial extensions aren’t recognized by the main internet domain system (DNS), which can cause problems. For instance, DNS servers waste resources processing requests for these internal domains, even though they can’t be accessed from the public internet.
To address this issue, the SSAC recommended creating an official, reserved domain specifically for internal use. ICANN explored various options and conducted a consultation process. They considered 35 potential domain names, checking for existing use, potential confusion with existing domains, length, memorability, and meaningfulness across six languages. Many options were discarded because they didn’t clearly indicate their purpose for internal use.
After extensive evaluation, ICANN narrowed down the choices to two finalists: “.PRIVATE” and “.INTERNAL.” After consideration, ICANN decided that .internal would the best TLD to continue with.
The impact of .internal for TLS / SSL
It is common practice for many organizations to have separate operational and infrastructure domains to run internal back office, administration, Active Directory, and tooling workloads. Some organizations then create both private and publicly resolvable addresses to internal infrastructure. When private addresses are publicly resolvable, this can lead to many security vulnerabilities such as DNS poisoning among others. Having a dedicated TLD for internal networks can help strengthen security across an organization.
One of the challenges with a dedicated internal TLD is that many organizations have publicly trusted certificates on network devices and other internal systems that they might be running. Let’s Encrypt has made it easy to get publicly trusted certificates at no cost, this enables organizations to put these certificates on their internal systems and get the benefit of TLS / HTTPS. However if an organization uses .internal on their network, which will become private under ICANN’s suggestion, any domain that uses this TLD will be able unable to get publicly trusted certificates. One of the drawbacks of using publicly trusted certificates is that all certificates are logged in the certificate transparency logs. If an attacker knows the internal operational domains of an organization, they may be able to use OSINT capabilities to determine what tooling, services and infrastructure devices an organization may be using.
The TLD proposal for .INTERNAL is a significant step towards a standard that will increase network security if adopted properly. However I believe that adoption may take time and will be limited as many services, devices and software will need to support this new configuration. Once adoption starts, time will tell if it will be successful and if the wider industry will adopt and support it.
