Thomas De Reyck's Blog

A Domain Name for Private Use

A long time ago I had the idea to set up my own internal top-level domain (TLD) name. Most devices in my network got a name assigned in this domain, called .nexus. This worked great for a few years, but some time ago suddenly I ran into some issues. Some of my devices that only offered HTTP connections were suddenly “not secure” anymore, and my browser did not show the usual button to make an exception.

After some research, it appeared Google was the culprit. It appears they had created a public “brand top level domain” in 2014 which was also called .nexus, as it was the brand name of their smartphone line-up at the time. If you ask me, such brand-based TLDs are just silly, but apparently they make a lot of money for ICANN, so there’s that…

In any case, Google had also set up preloaded HTTP Strict Transport Security (HSTS) headers for their domain, which was also honored by other browsers, causing my HTTP issues.

This posed an interesting conundrum: what domain could I use as a private TLD that would not be snatched out from under me? One option would be to purchase a domain name, and simply use that internally. However, if you also have IoT infrastructure in your house, that’s somewhat of an awkward dependency. Especially if you’d ever want to sell your house at some point. Do you need to sell the domain to the new owners? Or just let it expire and have them handle the fallout themselves?

Luckily, the smart people of the IETF found a way out of this situation, by implementing a reserved domain name for such a use case: You can somewhat consider it the DNS counterpart of private IP ranges. So, nowadays, I’m using for my internal domain. It’s a bit longer, but at least no one will be able to pull the carpet out from under me this time.