Real domain useful for installation?


I will be rebuilding my UCS network in the foreseeable future.

So far I have used a fancy domain like : intern.lan etc. for the installation of the master.

This makes it difficult or costly in some cases to use local services Jitsi, Rocketchat etc from external.

Is it advisable to do the UCS installation with a real domain like or create a subdomain externally like and use that for the UCS installation?

with best

create a subdomain externally like and use that for the UCS installation?

I do it like that and I can remember threads here discussing that. Also the reason why the external domain isn’t a good choice in most cases.

Best, Bernd

Do I understand you correctly. You choose a created subdomain (of your real external one) during the installation. But it is not a good idea?

Am a little confused right now

Hi @pixel

I use the subdomain.
Thought of this Welcher Domänenname? - #2 by Grandjean thread.

Best, Bernd

ok. now there is clarity

Additionally, check this:

Thanks for the tip. The certificates are not the problem for me. The HA proxy on the pfSense accepts the requests and provides the appropriate LE certificate for the requested subdomain.


I have read the article. One question arises for me.

I have installed the UCS with the subdomain ‘internal’ under my real domain ‘’. The UCS DNS is now responsible for ‘’. The external server for ‘’.

I install my UCS nodes as ‘’, for example. On the external DNS, I create the subdomain ‘’ for this host and set a corresponding record.

Can I now create an alias on the UCS DNS?

so that it can also be directly addressed internally? I always thought that an alias must not be ‘higher’ in the hierarchy than the domain for which the DNS is responsible. So ‘‘’’


Just a simple thing: as soon as you use SSL/HTTPS or similar you can not get what you want. Certificates are bound to hostnames. Trying to access the internal server with it’s external hostname will cause certificates issues (name mismatch). No matter if you use internal certificates or “official” ones. They will always match only one hostname.

Ignoring (or working around with some sort of proxy) certificate issues you can generate “overwrites”. So far as I remember they are called “RPZ” entries in DNS which those you will be able to overwrie public entries with your desired ones. Take a look here.

Ok, then I’ll continue to use the HA proxy. It also listens on the internal interface of the pfSense and delivers the correct certificates. I just thought I could leave that out.