Perhaps this is a weird question I have, but I’ve been watching some technotim videos lately and he seems to have local dns addresses for local services. Perhaps I’ve got this wrong, but if not: how would you go over doing this?
I have a pterodactyl dashboard, which I access locally using the machines IP and the port, but it would be great to have a pterodactyl.example.com domain, which isn’t accessible from other networks, but does work on my own network. I also still want some services exposed to the internet, so I’m not sure if this would work.
You must log in or register to comment.
Ive got this working with Caddy and Adguard
I use Caddy as my reverse proxy. It is running on the machine in the basement with all the different docker-container-services on different ports. My registrar is set up so that *.my-domain.com goes to my IP.
Caddy is then configured for ‘service-a.my-domain.com’ to port 1234, and the others going to their ports. This is just completely standard reverse proxy.
For some subdomains (i.e. different services) ive whitelisted only the local network. There is some config for that.
Im pretty sure that I also have to have adguard do a dns rewrite on the local network as well. That is, adguard has a rewrite for ‘*.my-domain.com’ to go to 192.168.0.22 (the local machine with caddy). I think i had to do this to ensure that when the request gets to caddy it is coming from the local whitelisted network rather than my public IP (which changes every couple months, but could be more).
DNS? Why so complicated? Just edit your hosts file 😏
This is the correct answer.
Edit /etc/hosts and add
127.0.0.1 example.comso when you type example.com into the address bar it goes to 127.0.0.1.
People already talked about hosting your own DNS, let me add that a reverse proxy would be used for something like mapping myhome.local:8000 to myhome.local/jellyfin.
Generally speaking, a subdomain like
jellyfin.myhome.comwill work out much better than a subpath likemyhome.com/jellyfin.Very few web apps can deal well (or at all) with being used under a subpath.
Using reverse proxies is common enough now that quite a few apps can deal with subpaths, and for the ones that can’t you can generally get nginx to rewrite the paths for you to make things work.
Alright, have fun with that. 🙂
One thing to be careful of that I don’t see mentioned is you need to setup ACLs for any local-only services that are accessible via a web server that’s public.
If you’re using the standard name-based hosting in say, nginx, and set up two domains publicsite.mydomain.com and secret.local.mydomain.com, anyone who figures out what the name of your private site is can simply use curl with a Host: header and request the internal one if you haven’t put up some ACLs to prevent it from being accessed.
You’d want to use an allow/deny configuration to limit the blowback, something like
allow internal.ip.block.here/24; deny all;
in your server block so that local clients can request it, but everyone else gets told to fuck off.
Or just point secret.local.mydomain.com to the LAN IP of the server.
That’s the gotcha that can bite you: if you’re sharing internal and external sites via a split horizon nginx config, and it’s accessible over the public internet, then the actual IP defined in DNS doesn’t actually matter.
If the attacker can determine that secret.local.mydomain.com is a valid server name, they can request it from nginx even if it’s got internal-only dns by including the header of that domain in their request, as an example, in curl like thus:
curl --header 'Host: secret.local.mydomain.com' https://your.public.ip.here -kAdmittedly this requires some recon which means 99.999% of attackers are never even going to get remotely close to doing this, but it’s an edge case that’s easy to work against by ACLs, and you probably should when doing split horizon configurations.
But the attacker should know the internal and the external DNS. If the internal DNS doesn’t have any SSL certificate on its name, it’s impossible to discover.
By the way, I always suggest to reach services through VPN and use something like Cloudflare tunnel for services that must be public.
P.s. Shouldn’t public and private DNS be inverted in your curl example?
You can just point your domain at your local IP, e.g. 192.168.0.100
Yup, I have a domain I purchased and on my lan I use PiHole and Caddy. All my apps and services use the format app.mydomain.com. PiHole forwards all requests for *.mydomain.com to Caddy, which handles the LE certificate (via DNS challenge) and forwards the requests to the proper IP:PORT. I started using this for everything, my Proxmox hosts, printer, my APs…
Simplest is use /etc/hosts to set up names, if there are just a few.
Run your own DNS server on your network, such as Unbound or pihole. Setup the overrides so that domain.example.lan resolves to a local IP. Set your upstream DNS to something like 1.1.1.1 to resolve everything else. Set your DHCP to give out the IP of the DNS server so clients will use it
You don’t need to add block lists if you don’t want.
You can also run a reverse proxy on your lan and configure your DNS so that service1.example.lan and service2.example.lan both point to the same IP. The reverse proxy then redirects the request based on the requested domain name, whether that’s on a separate server or on the same server on a different port.
Thanks for the reply! I think I get it now.
Yup. You can run both local amd external services off the same proxy, at least with traefik and I assume others. Alternatively you could use traefik to solely for local services and Cloudflare zero trust tunnel for external. I think his traefik video covers it? If not, it covers some part.
The other part is that you need pihole setup to serve local DNS.
Okay, I’ll start with configuring pihole for DNS. If I get it, I can just use that DNS and if I need to access a service external I need to register the domain with my registrar?
Sure can. I had mine separated with service.My-domain.com and service.Local.My-domain.com If you need help let me know :)
Yes. But you should generally not expose a bunch of services to the Internet. Use a VPN to access your local network if necessary.
look into local dns servers if you want multiple machines to use your local domains if you only want a single windows or linux (and probably mac) computer to use the domain to access a specific local ip an entry in your etc/hosts file would be enough
You can do that with pihole and basically any reverse proxy. The process is the same, so you can follow tutorials, you just have to set up your domain through your pihole instance instead of a registrar. You can set pihole as your dns for specific devices, or you can set it as the default dns for your network through the router.
Will also take a look at the router DNS, thanks a lot!
I guess you can set a host on your
/etc/hoststo redirect all your pterodactyl.example.com to a local ip. Also, if you need access from other computers on the local network, I think you can set up a local DNS server (such as PiHole or AdGuard Home) to reach the same solution but for all address running though your DNS server
