Follow

I've got a number of containers running different things internally (test blogs, todo lists, etc)
Some of them I want exposed to the world. Some I want accessible from inside my network (house) or over the VPN.

What's the easiest way to setup locally resolvable names that only work internally?

And what names are safe to use.
Blah.home?
blah.lab?
blah.myhouse?

I've lost track but I think .local and .lan aren't safe to use anymore?

@peroty I image you would have different network interfaces that represent different networks on a machine. Each interface would have its own IP address. What you could do with that is setup a home DNS server on this machine and have your router consult this DNS server instead of the ISP's one. This way only the devices connected to your local network would be able to resolve custom domain names like walters.lab and be redirected to your home server.

@peroty any domain name pointing to a private IP address space is relatively safe (considering you're not exposing the IP to the outside world by port forwarding, etc.)
en.m.wikipedia.org/wiki/Privat

@peroty Take a look at Traefik (traefik.io).
It allows you to define routes to containers, add authentication, limit Access to certain IP addresses etc.

@ardmore I've got nginx setup as a reverse proxy to my containers already. I've read that Traefik makes that easier. Maybe I'll look into that instead of nginx.

@peroty since you are concerned about security you might also be interested in the zero-configuration network topic: en.m.wikipedia.org/wiki/Zero-c

@peroty I use .local for internal servers and it seems to work okay.

@jamie @peroty .local is de facto reserved for Apple's implementation of zeroconf, bonjour. Bounjour will likely be confused and broken if you use .local for your hostnames.

Some invalid TLD's, like .lan *can* be used (I think there's a recommended list out there). If you are self-hosting stuff, you probably own a domain name, so you might as well use it for this.

@bhart @peroty Wow. This is a whole rabbit-hole.

.home.arpa has been proposed as one solution: https://tools.ietf.org/html/rfc8375

There is also this from 2013, but not sure if it is still valid: https://tools.ietf.org/html/rfc6762#appendix-G

Everyone agrees that .local shouldn’t be used though - so I guess I should rename my hosts at some point.

@jamie @bhart Welcome to my problem. lol
I have a FQDN for my homelab. And everything pointed to a nginx reverse proxy to make it to the outside world. I'm not sure how I can take sub.fqdn.tld and make it resolve internally without going external.
Probably something in the nginx proxy but I haven't figure that out yet. Or know what term to search for.

I'm very much mucking about trying to teach myself with varying levels of success.

@peroty @jamie Oh gotcha. The term you're looking for is split horizon dns: en.wikipedia.org/wiki/Split-ho

Basically, you need a DNS resolver inside your lan which replies with internal addresses. If you host your own DNS for external queries (unlikely), then you would need to set up your DNS server to respond differently based on where the request comes from.

How to do the above depends greatly on what you are running for network gear.

@peroty @jamie If you are running a consumer router - Linksys, Asus etc, might be easiest to spin up a pi.hole and let it manage your DNS (and dhcp, so that it can handle registering clients in DNS.)

If you have something like pfsense, mikrotik, sonicwall, unifi, etc - the functionality is built in, it's just a matter of figuring out the setup.

Anyway, there were lots of videos and websites when I searched, so there's lots of help out there.

@bhart @jamie Just a fancy tp-link router. (Haven't gotten sign off from the Wife to change routers).

I had a pihole running previously until the sd card died. Maybe it's time to add that to the proxmox box and setup DNS using that. hmm

@peroty Technically you shouldn't use an invalid TLD. Best way to go is <host>.lan.example.com with a valid domain which you own. You can replace 'lan' with a location name to identify the lan, such as the city, datacenter, or even 'home'.

With this method, you can perform split DNS and if you ever need to, you can make a service routable from outside using the same name. There's other benefits too.

Sign in to participate in the conversation
Fosstodon

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.