stratself
@stratself@lemdro.id
- Comment on DNS kicking my ass (Technitium and opnsense) 3 days ago:
Have you solved your problem? It seems like there are some issues with your setup:
TDNS is set to “allow recursion only for private networks” this means that if something external tried to resolve using my TDNS they’ll be refused, correct?
Correct. It only accept recursion queries from private networks and can do outbound requests to the internet as normal
10.2.0.1 turned out to be my vpn’s dns server
On the computer, you’re also using your VPN’s DNS service accessible within the VPN tunnel (hence the weird IP address). If you wanna use Technitium you should disable such service
I set NAT rules to force TDNS port 53 routing. TDNS is set to forward to quad9 and cloud flare externally. DNS blocking lists are set in TDNS.
Unable to reach external net when NAT rules active.
If you’re forcing every device to talk to TDNS, then your TDNS server is also talking to itself and cannot make queries to Cloudflare/Quad9 on port 53. You can either:
- Create an exception rule to allow your TDNS address to talk to Cloudflare/Quad9
- Use DNS-over-HTTPS/DNS-over-TLS as your TDNS forwarder protocols as they aren’t affected by rules on port 53 (recommended)
It seems the DHCP is handing out the fire wall’s ip for DNS server, 100.100.100.1 is that the expected behavior since DNSmasq should be forwarding to TDNS 100.100.100.333.
Yes it’s expected, if you’re telling your clients to forward their queries to dnsmasq, and then let dnsmasq forward those queries to Technitium. If you want clients to talk directly to TDNS instead, set the DHCP option to advertise its address and don’t use your firewall’s address as a forwarder. I prefer the second option as it’ll give you correct client IPs in query logs and save some round trips.
I don’t really know what I’m doing with zones but I have a primary zone set with example.com. I set some static hosts records in this zone and enabled reverse lookup, expecting servicehost.example.com
If you can query the zone and its reverse PTR record in Technitium’s DNS client, then you’ve properly set it up. Remember you’ll have to tick the PTR options when setting up said record. Also you can open an issue on Technitium’s Github or their subreddit for assistance.
- Comment on How are people discovering random subdomains on my server? 6 days ago:
My guess would be NSEC zone walking if your DNS provider supports DNSSEC. But that shouldn’t work with unregistered or wildcard domains
The next guess would be during setup, someone somewhere got ahold of your SNI (and/or outgoing DNS requests). Maybe your ISP/VPN service actually logs them and announce it to the world
I suggest next time, try setting up without any over-the-internet traffic at all. E.g. always use
curlwith the–resolveflag on the same VM as Apache to check if it’s working - Comment on Cloudflare Tunnel: proxy-dns Command Removal 2026 | What are some nice alternatives to encrypted DNS? 2 weeks ago:
they have an official build too: hub.docker.com/r/adguard/dnsproxy
- Comment on Cloudflare Tunnel: proxy-dns Command Removal 2026 | What are some nice alternatives to encrypted DNS? 2 weeks ago:
Technitium is very powerful and could perfectly handle being a DNS forwarder + DHCP provider for your LAN, replacing both Pihole + cloudflared. Though it does many other things too, which can make the UI overwhelming for starters. But in my opinion if you’d like to fine-tune a lot of things like cache and custom DNS logic (via installable applets), this would be the software for you
For the upstream provider I guess Quad9 is popular enough to give you fairly good geolocated IPs, but also has some sense of privacy. The main thing is to always validate your andwers with DNSSEC as to detect and refuse any DNS tampering attempts
- Comment on How do you get a certificate for an internal domain? 2 weeks ago:
Yes it involves nginx’s stream directive
- Comment on How do you get a certificate for an internal domain? 2 weeks ago:
As continued from my answer for ypur previous post I suggest you route pure TCP traffic all the way to your backend and terminate TLS (with a Let’s Encrypt cert) there. In fact, I prefer not to mount any certs on the VPS. This does not involve separate certs nor internal domains.
- Comment on PSA: If you are running a Matrix homeserver written in Rust, you'll need to upgrade NOW 2 weeks ago:
- Comment on My Unifi Dream Machine Pro's ad-blocking was doing more than I expected 2 weeks ago:
Is there a way for you to talk to upstream DNS bypassing Ubiquiti’s firewall? Maybe do it on a different port? (idk if the RFC permits this)
- Comment on reverse proxy over vpn without docker? 2 weeks ago:
There are many ways to do this and you got the right gist, but my recommendation:
- Set up a WireGuard tunnel connecting your VPS and homeserver
- Set up a layer-4 TCP reverse proxy (Nginx’s stream module/Traefik TCP routers/Caddy-L4/HAProxy are all doable) on the VPS
- Use that reverse proxy to route all TCP traffic back to the homeserver’s HTTPS service(s), via the wg tunnel
Here’s a guide that helped me with such a setup: theorangeone.net/…/wireguard-haproxy-gateway/
Wireguard only need one peer to open a silent UDP port, so use the VPS’ IP and no need to portforward your homeserver. There are other more convenient solutions like Tailscale or Pangolin, but being Wireguard-based they all follow the same principle. Lastly this keeps your certs locally for TLS all the way through
- Comment on How do I migrate my VPS out of Cloudflare? 2 weeks ago:
For the DNS provider I recommend desec.io. It’s a nonprofit running worldwide DNS servers, supports DNSSEC, and has a plugin for Lego. If your registrar supports DNSSEC as well, I’d recommend enabling it to protect from DNS forgery.
For the DDoS protection I don’t have a recommendation as they’re all “just another SaaS”, but maybe you could limit many more selfhosted things behind auth as to not expose more surface to potential scrapers.
- Comment on Question about accessing my services from corporate Network 3 weeks ago:
Beat me to it. This is likely the best way as 443 is ubiquitously unblocked on most networks
- Submitted 3 weeks ago to selfhosting@slrpnk.net | 1 comment
- Comment on Self-hosting with an old laptop 3 weeks ago:
That doesn’t seem to be too old of a laptop at all. One thing I’d say is to use an SSD as the main partition you run your apps on, as HDDs might be quite slow.
If you wanna keep the VPS, you can use it as a public inbound gateway + outbound VPN for your homeserver, so traffic looks like it comes in and out of your VPS. I wrote some notes on setting up Tailscale in such a manner, but there’s plenty of other options.
If you don’t wanna keep the VPS, you can front your inbound traffic with Cloudflare Tunnels, and use a VPN for outbounds. If you don’t have any apps that make frequent network requests (e.g. a Matrix server), then a VPN may not be necessary
You should leave SSH on, especially if if you wanna run it without a monitor, but use key auth and limit it to your LAN only
- Comment on Unintended Proxy or Intermediary ('Confused Deputy') and Improper Input Validation in Conduit-derived homeservers 3 weeks ago:
Thanks for posting here. I’ll update to continuwuity v0.5.0 immediately when I come back to Matrix
- Comment on Suggestions for Community Organizing 4 weeks ago:
Non-federated Matrix server with rooms bridged to Discord/Whatsapp/Slack/whatever, so everyone can join.
Use standard webapps for other stuff like polls, surveys, events etc and send the URL to an announcement channel. Not sure of exact solutions but if one app can do it all and send email reminders for them, thatd be great. Same can be done for VoIP with Jitsi links, or even Z**m links.
Backup the databases if you need the chat logs. All of this should be doable with a small VPS, but a mini PCs cluster could be better
- Comment on Router VPN? Express put to rest 4 weeks ago:
How did you exactly install Express on the router? Did you use an app or something of that kind?
If the VPN provider has WireGuard support, you may wanna use a wireguard client software to connect to it. Flash OpenWRT on the router, install and configure a wireguard interface that connects to Express, then forward packets from behind LAN to that interface so they go through the VPN tunnel. A bit tricky for beginners, but I hope you can make it.
Since OpenVPN protocol seems to become unsupported in the future, Wireguard should be the way to go. Mullvad/IVPN should also support it, and once you know how to set it up it should be usable across many services and devices.
Do you recommend installing VPN apps on separate devices instead of the router?
For flexibility I’d do this. In case I’d wanna switch upstream servers for a single device without affecting others.
- Comment on Recommendations to replace AWS DNS? 4 weeks ago:
Desec.io is a solid option - it allows for various types of records like TLSA and SRV. It can also generate scoped API tokens e.g. for “only TXT records of the
_acme-challengesubdomain of example.com” to use in automated cert renewals, so pretty good for automation. It’s also a nonprofit.I think selfhosting DNS is beneficial when you wanna control your own DNSSEC keys, but you’d need to account for high availability and safety. With that, you could do what’s called a “hidden primary + public secondary” setup to protect your master DNS data from the public prying. You can even use 3rd-party services like ns-global.zone as your secondaries for redundancy and to reduce load on your primary, too. I recommend Technitium and their guidance if you wanna get started
- Comment on Recommendations to replace AWS DNS? 4 weeks ago:
Those are not authoritative DNS providers where you can publish records…
- Comment on Decreasing Certificate Lifetimes to 45 Days 1 month ago:
Technically something like DANE can allow you to present DNSSEC-backed self-signed certs and even allow multi-domain matching that removes the need for SNI and Encrypted Client Hello… but until the browsers say it is supported, it’s not
- Comment on **How** should I properly document my homelab? 1 month ago:
I write homelab docs mostly for user guidance like onboarding, login, and service-specific stuff. This helps me better design for people by putting myself in their shoes, and should act as a reference document for any member to come back to.
Previously I built an Mkdocs-Material website with a nice subdomain for it, but since the project went on maintenance mode, I’m gonna migrate all docs back to a Forgejo wiki since it’s just Markdown anyways. I also run an issue tracker there, to manage the homelab’s roadmaps and features since it’s still evolving.
I find this approach benefiting compared to just documenting code. I’m not an IaC person yet, but I hope when I am, the playbooks should describe themselves for the nitty-gritty stuff anyways. I do write some infra notes for myself and perhaps to onboard maintainers, but most homelab developments happen in the issue tracker itself. The rest I try to keep it simple enough for an individual to understand
- Comment on Self hosted Onedrive alternative 1 month ago:
Nextcloud forked from the old PHP-based ownCloud stack, while Opencloud forked from the Infinite Scale Go-based stack. It also by default preserves the filesystem hierarchy on your server without needing a database, using a storage driver called PosixFS.
The Windows clients currently do support selective syncing so it is on-par with OneDrive. Android client looks to be forked from old Owncloud, and has offline availability too.
- Comment on Looking for a selfhostable chat service that people on phone and computers can log onto 2 months ago:
due to it missing ideal features
what features do you want? kindly elaborate
XMPP with Snikket could be an easy solution. If you don’t want to talk to the wider web make sure to disable federation.
- Comment on Local DNS on Pihole 2 months ago:
Pihole runs on dnsmasq right? Maybe you could create a cronjob to copy the underlying dnsmasq.conf to other Piholes
- Comment on Technitium DNS v14 is released with support for clustering 2 months ago:
Ah, I see. Well I’m glad you found PiHole useful and stick to using it anyhow!
- Comment on Technitium DNS v14 is released with support for clustering 2 months ago:
What issues did you have reverse-proxying? For me it was just as simple as pointing to port 5380. Other ports like 53 could be passed on with a layer-4 router
What about the login issues? I’d hope they’ll be integrating with OIDC or some other auth mechanism, but for now managing 2FA creds should make do
- Comment on Technitium DNS v14 is released with support for clustering 2 months ago:
Off the top of my head:
- Allows using DoH/DoT/DoQUIC/recursive upstreams without installing extra packages (unbound, cloudflared, etc)
- Allows acting as a DoH/DoH3/DoT/DoQUIC server alongside normal DNS over UDP and TCP
- Allows configuring SOCKS/HTTP proxies for forwarders
- Act as authoritative zone server with DNSSEC signing
- Allows custom responses via plugins (e.g. conditional responses based on client’s IP addresses)
- Accept PROXY Protocol to forward client IPs from trusted load balancers
- All the clustering and zone transfers magic
- DNS64
It really dives deep into the inner workings of DNS and does pretty much anything Pi-Hole does, with many more security and QoL features. Although the UI may feel a bit dated, I’d recommend it to anyone running their own homelab infrastructure beyond just adblocking
- Submitted 2 months ago to selfhosted@lemmy.world | 25 comments
- Comment on Made an alternative to Tailscale + Gluetun 2 months ago:
Just found out someone else has a similar thing too:
It seems more flexible and can be used site-to-site, for anyone interested
- Submitted 2 months ago to selfhosted@lemmy.world | 5 comments
- Comment on Material for MkDocs is getting rid of MkDocs. Now: Zensical - A modern static site generator 2 months ago:
Thanks for posting this here. I’m not sure what to think about this, just set up mkdocs-material with huge customizations, including the macros plugin and tons of CSS. So it’d be tedious to eventually migrate to the new “component system” as they say.
Welp, should’ve gone with a barebone SSG and configured what I want. Feels like I’m kinda stuck in no man’s land now.