So what internal top level domain do you use?
When creating an Intranet there's always a point at which you feel you have too many IPs listed to not have a DNS system. So you resolve to do the right thing and create a DNS zone with them in. But what should the TLD be of your Intranet's nodes? For IPv4, nobody outside your network will need those domains. For IPv6... it's a little more complicated, but you'll probably want only a handful of boxes to have externally resolvable domain names anyway. The handful of machines outside of your intranet that actually need access to the ones that aren't externally resolvable can probably be configured to look at your DNS server anyway.
I once used .link, because I'd read that .link was an in a proposed IETF doc for things like routers. But that doc was never blessed and it became an official, subdomains purchasable, domain in the 2010s.
The IETF's official advice is something like “Use a real domain you bought, knock it off with these non-routable ones you idiot but if you must, use “.intranet”, “.internal”, “.private”, “.corp”, “.home”, or”.lan”.” (RFC 6762) which, OK, but it makes a point that this is simply what people are doing right then, not a recommendation. In other words, when EvilRegistry asks for “.home”, ICANN will give it to them – that RFC does not forbid it – and then name clashes are inevitable.
The real domain thing, that requires you either buy a new domain (boo!) or create a subdomain of one you own. Which is fine... if you want to refer to computers on your network as “server78.lan.poundquerydotinfo.name”
I see one other option not mentioned anywhere which is to use a TLD that ICANN will absolutely never probably perhaps not allow to be registered. Maybe a single letter TLD? I think Musk is trying to get “.x” and if he succeeds then we're screwed. But in theory, at least, only three-or-more letter GTLDs have ever been allowed. Another might be a two character domain for a country that doesn't exist (.xx?) All two letter TLDs are reserved for countries right? Or two character? Add a digit to a single letter (.g0, .h1) and I assume the chances of these ever existing are low.
Now at this point there are some counter arguments to not following the IETF's advice. One is “ICANN might actually allocate the TLD you're using to a registrar, and then someone will register “socialnetwork.g0”, and it'll become the most popular website on the planet, and you won't be able to reach it!“, which I just kind of mentioned, but I guess a lot of it is “How much notice will I get if I actually go with “.g0” as an internal TLD and ICANN decides to sell it to a registrar?”
Chances are something that changes policies (all gTLDs must have three characters or more) would generate quite a bit of debate, and you'd hear about it, and have plenty of time to change over. And if you pick a suitably ugly one then hopefully it'll never happen even if ICANN changes the policy.
Another is “What about Let's Encrypt”? That's actually a tougher one than you think. Suppose you want an Intranet web server to have SSL – maybe it's your web mail or something. There are basically four options: (1) Forget having a non-standard TLD. (2) install a CA cert on every PC for your own private CA and... urgh, no, you know you won't do that, I won't either. (3) Just ignore the warning from Firefox. and... (4) use a different domain... for the Intranet service – not the server, the service. If you have a real domain as well, say, poundquerydotinfo.name as mentioned earlier, just create a DNS record like “www-intranet” => server78.g0. Then get a cert for that server using DNS, and it should now be viable and work well. You'll have to access the server at www-intranet.poundquerydotinfo.name, but that should be easy enough.
Let's go back though to using a real domain for the whole thing, eg '.lan.poundquerydotinfo.name'. Maybe that could work? The IETF recommends it. But why, if it's so clumsy?
Well, as many point out, you can make it less clumsy by including “lan.poundquerydotinfo.name” as your DNS search suffix. But the problem there is you still need to do many of the hacks above. For example, if you type:
into your browser, it'll correctly find the IP for www-intranet.lan.p... etc and connect to it, but your browser will immediately see that the server doesn't have a suitable certificate because it will look for one that's just “www-intranet”, which you can't get from... anywhere other than perhaps a custom CA. So the certificate issues aren't really any different with .g0 or a real domain, you still have the same problem and will still need to set up some DNS based certificate configuration with Lets Encrypt, and will probably want to omit the “.lan.” part of the domain too so it's not unnecessarily long.
TL;DR – It is probably safe to use a TLD that's one or two letters, ideally with a digit in it (eg. “.a1”, etc.) Be prepared to point a real domain at internal machines with that TLD if it provides services that require an SSL certificate.
Anyway, those are my thoughts. Please tag @poundquerydotinfo@forum.virctuary.com if you have any related thoughts.