Skip to content

System Domain Concepts

Introduction

In this document we explain some important system domain concepts. This document was last updated on 20 Aug 2018.

Features making use of the System Domain

  • Computers: For each registered computer, an A record is automatically added to the internal DNS zone of the system domain. This feature cannot be disabled. You can use a third-party DNS server, but these records are created nonetheless.

  • Reserved DNS names: Some DNS names are reserved by and for the appliance, e.g. wpad, tool, login, logout, the hostname configured for the appliance, the Intranet and Extranet services. Use DNS forwarding if these names should not be resolved by AXS Guard.

  • Automatic Proxy Detection (WPAD): For clients in a different domain than the system domain, two actions are required for automatic proxy detection to work. In the forward DNS zone of the clients, an A record or CNAME record must be created so the correct WPAD IP address is returned. Additionally, proxy URL substitution must be configured on the AXS Guard appliance.

  • Email: The system domain is used by default for automated notifications. You can overrule this behavior and specify a mail domain via System > General.

  • Reverse Proxy: Reverse proxy entries can be configured for specific hostnames. The system domain is automatically assumed, unless a period is added to the hostname entry.

System > General

Choosing a System Domain

If you don’t use any of the features listed in the previous section, you can choose any system domain.

Experts recommend using a second or third-level domain that is resolvable via the Internet, so no .local, .lan, .internal or similar non-Internet resolvable TLDs.

Use a domain name that you own and manage yourself, so you don’t have to rely on third parties for administration. This also prevents abuse and protection against domain hijacking.

If you are using any of the aforementioned features:

Computer accounts and reserved DNS names are always created automatically. This behavior cannot be disabled. If there are systems on the Internet which happen to have the same name than systems in your secure network and you use the AXS Guard appliance as your internal DNS server and/or proxy server, you can do either of the following:

  • Choose separate names for your system domain and public domain. For example, if your public domain is yourdomain.com, you could use internal.yourdomain.com or yourdomain.net as your system domain.

  • Create dedicated computer accounts for public systems, using their public IP address.

  • Configure DNS forwarding so the IP addresses for the corresponding public systems are resolved by a different DNS server, e.g. a public DNS server.

It is easier and faster to use the same domain name as the domain name of your clients when you use automatic proxy detection, but this is not a requirement.

Since you can configure a dedicated mail domain, your system domain name choice has no impact on your email functionality.

However, we do recommend choosing a domain name with an SPF record, so SPF-protected mail exchangers will accept mails sent by the appliance.