Comment

Comment on Need help getting domain to resolve over LAN

Never point your DNS at a local IP address. That will only cause you pain and unexpected behaviour.

What you are experiencing is solved by so-called “NAT reflection” or “NAT loopback”. It’s a setting that in the best case you should just be able to activate on the appropriate interface in your gateway.

source

Sort:hotnew top

rumba@lemmy.zip ⁨11⁩ ⁨months⁩ ago
Hard disagree, I’d bifurcate my internal DNS in a hot second before I tried to fix this with static routes. Was internal services aren’t going anywhere in that DNS servers ain’t going anywhere The only time they can figure it should take effect is when it’s needed

Asking a noob to handle static routes is a double ungood situation.

Home gamer with a router that can handle reflection would be rare.

It’s one service that he’s hosting and in control of, and he’s also in control of that internal IP so it doesn’t have to change.

If anything I’d be worried that those VMs and applications in the VMs are getting regular updates. He’s more likely to get intruded through a zero day on one of those hacks than he is to see any serious issues through throwing a couple DNS records around.

source
sugar_in_your_tea@sh.itjust.works ⁨11⁩ ⁨months⁩ ago
Never point your DNS at two different IP addresses like this. It will only cause you pain and unexpected behaviour.

Why?

I have a similar setup, but to add to the problem, I’m also behind CGNAT. Here’s my setup:

LAN - 192.168… addresses

WAN - 10… address from ISP

VPS - public address

To access my LAN from outside, I have a WireGuard tunnel to my VPS.

The address my DNS resolves to is absolutely unrelated to any addresses my router understands. So to prevent traffic to my locally hosted resources from leaving my LAN, I need my DNS to resolve to local addresses. So I configured static DNS entries on my router to point to local addresses, and I have DHCP provide my router as the primary DNS source and something else as a backup.

This works really well, and TLS works as expected both on my LAN and from outside my LAN. The issue OP is seeing is probably with a non-configured device somewhere that’s not querying the local DNS server.
source
- Opisek@lemmy.world ⁨11⁩ ⁨months⁩ ago
  I explained why. Misconfiguration and caching.
  
  source
fishynoob@infosec.pub ⁨11⁩ ⁨months⁩ ago
I don’t think OP made two A records here. He simply configured the reverse proxy to point to the VM and the A record to point to the reverse proxy. In my mind, if NGINX is terminating SSL then the only problem could be ports.

source
- Opisek@lemmy.world ⁨11⁩ ⁨months⁩ ago
  Not two A records. From what I understand, OP has an A record pointing to their public IP address. Then, on the local network, OP uses their own DNS server to ignore that entry and instead always serve the local IP when a host on the LAN queries it.
  
  Aside from OP’s devices potentially using a different DNS server (I was only able to solve it for my stock Android by dropping outgoing DNS in my firewall), this solution is a nightmare for roaming devices like mobile phones. Such a device might cache the DNS answer while on LAN or WAN respectively and then try to continue using that address when the device moves to the other network segment. That’s the second likely scenario in my opinion - OP’s devices are ignoring the hacky DNS rewrite and try to access the server via the public IP.
  
  source
  - ashley@lemmy.ca ⁨11⁩ ⁨months⁩ ago
    It’s called split horizon dns and it’s not that bad/nightmarish.
    
    source
    Zeoic@lemmy.world ⁨11⁩ ⁨months⁩ ago
    Yeah, you are 100% right. Not only is it not bad in any way, but it is how nearly every single company with internal resources works… It is incredibly common.
    
    source
  - iAmTheTot@sh.itjust.works ⁨11⁩ ⁨months⁩ ago
    Couldn’t I troubleshoot this by using a different browser, or even incognito mode? Because when I do that, it still times out. I appreciate the explanation and advice. I’m not too worried about it at this stage only because my service I am trying to get working, Docmost, will really only be accessed from my desktop. Plus, as I said in OP, I am enjoying learning about this stuff and want to figure out why this specifically isn’t working for educational purposes, even if I switch to a different solution.
    
    source
    sem@lemmy.blahaj.zone ⁨11⁩ ⁨months⁩ ago
    To get more information, from the device you are having trouble with, try “dig server.com” from a terminal, or even “ping server.com”. The messages may help you figure out what’s going wrong.
    
    source
    Opisek@lemmy.world ⁨11⁩ ⁨months⁩ ago
    You would also need to color your device’s DNS cache.
    
    source
  - fishynoob@infosec.pub ⁨11⁩ ⁨months⁩ ago
    I didn’t think of that. Indeed, DNS caching/using different DNS servers for different devices will break it exactly like what OP is experiencing. Thanks.
    
    source