I recommend using a real domain name so you can pull SSL certificates that don't require the visitor to accept a self-signed certificate.
this post was submitted on 11 Aug 2023
22 points (92.3% liked)
Selfhosted
37939 readers
551 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 1 year ago
MODERATORS
Seconded! I own a domain for our emails (no public Web presence) and use a subdomain (that's not publicly hosted, the names only exist in my pihole) which allows me to use foo.l.mydomain.com for each service. Since the names don't resolve publicly you'll have to use dns verification for let's encrypt, but that's not too hard to do.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:
| Fewer Letters | More Letters |
|---|---|
| DNS | Domain Name Service/System |
| HTTP | Hypertext Transfer Protocol, the Web |
| HTTPS | HTTP over SSL |
| IP | Internet Protocol |
| PiHole | Network-wide ad-blocker (DNS sinkhole) |
| Plex | Brand of media server package |
| SSL | Secure Sockets Layer, for transparent encryption |
| TLS | Transport Layer Security, supersedes SSL |
8 acronyms in this thread; the most compressed thread commented on today has 14 acronyms.
[Thread #23 for this sub, first seen 11th Aug 2023, 06:55] [FAQ] [Full list] [Contact] [Source code]
Pihole can do this out of the box by going to the dns settings and adding a host. Alternatively, if your pihole is also your dhcp provider, you can set the hostname on each and pi hole should resolve it.
https://thiagowfx.github.io/2022/01/pihole-add-custom-dns-mappings/
I would suggest avoiding .local as a tld as it's used for discovery. .lan is shorter to type!
As recommended by others, you might want to use a real public domain that you own, and a reverse proxy for split horizon DNS. I personally run Bind9, Unbound, and PiHole as my DNS servers. Bind9 handles split horizon, so if I request my domain internally it gets routed through Bind. Then bind hands it off to PiHole for adblocking, and PiHole makes requests through Unbound set up as a recursive DNS server which doesn't rely on any external DNS. I also use Traefik as a reverse proxy for all of my services. My set up is more complicated than necessary, and if you want just a few local domains, PiHole + a reverse proxy is plenty good for your needs.
I use caddy with PiHole.
The Caddyfile is easy to set up with your hostname which will be automatically redirected to HTTPS.
The issue will be the annoying (but useful) alert of a selfsigned certificate if you don't own the domain.
So I have a cheap domain for my local network and configure caddy to do the acme challenge via DNS instead of HTTP.
I can give you more details tomorrow.
I don't use a pihole, but I have a pi with my favorite distro acting as server, and I use dnsmasq for what you mention. It allows to set the machine as the nameserver for all your machines (just use its IP in your router DNS conf, DHCP will automatically point connected machines to it), and then you can just edit /etc/hosts to add new names, and it will be picked up by the nameserver.
Note that dnsmasq itself does not resolve external names (eg when you want to connect on google.com), so it needs to be configured to relay those requests to an other nameserver. The easy way is to point it to your ISP nameservers or to public nameservers like those from Cloudflare and Google (I would really recommend against letting them know all domains you're interested in), or you can go the slightly more difficult way as I did, and install an other nameserver (like bind9) that runs locally. Gladly, dnsmasq allowed to configure its relay nameserver to be on something else than port 53, which is quite rare in dns world. Of course, if you're familiar with bind9, you could just declare new zones in it. I just find it (slightly 😂) more pleasant to work with /etc/hosts.
A pihole runs dnsmasq also so adding hosts entries and restarting the service accomplishes the same thing as adding entries via the webUI
Oh, ok. Thanks for letting me know. 👍️
It's fairly easy to add local domain names with pihole, so presuming all devices on your network are using it, you shouldn't have a problem.
If you use NGINX proxy manager you’ll also be able to use a FQDN with SSL for your local services without them being exposed to the internet. It means your local users won’t see the scary insecure page when they access services.
You can even set your public dns records to have Plex.yourdomain.tld point to the local IP of NGINX - removing the need for local dns entirely. That way if you do need to access a service outside with tailscale; their subnet router feature will just work out of the box.
Porkbun are still offering a free .dev or .app domain if you don’t already have one: https://porkbun.com/event/freeappdevdomain
Yep, I use cloudflare for DNS and just have 2 records configured there:
- A record -
example.compoints to192.168.1.100 - CNAME -
*.example.comis an alias ofexample.com
The IP address above being the address of Nginx Proxy Manager, where I configure whatever subdomains I need for my local services.
It has never occurred to me to create a wildcard entry for sub domains….
I have setup my own DNS locally with unbound(1). It blackholes domains, but I also use it as a caching + forwarder to my external DNS over TLS (for improved privacy regarding my ISP). I don't do it, but unbound let's you add local data manually to provide direct answers without forwarding it:
local-zone: "local." static
local-data: "plex.local. 10800 IN A 10.0.0.3"
local-data: "paperless.local. 10800 IN A 10.0.0.4"
local-data: "pihole.local. 10800 IN A 10.0.0.53"
[...]
Then you can either configure it to include a generated list of domains to explicitly NXDOMAIN, or just forward everything to the pihole:
forward-zone:
name: "*"
forward-addr: 10.0.0.53
I don't know about unbound, but bind can be configured to talk with dhcpd and allow clients to set their own hostnames
In bind.conf
allow-update { key "rndc-key"; };
In dhcpd.conf
ddns-update-style interim;
ddns-updates on;
ddns-domainname "lan.";
ddns-rev-domainname "in-addr.arpa.";
key rndc-key {
algorithm hmac-md5;
secret "secret";
};
No messy tables to maintain.
That's interesting. Unbound doesn't support that afaik. The local data feature was requested by OP so I just provided a solution for it.
Here to ask questions too. Is it necessary to add stuff to etc/hosts for this to work man only? Do I have to do portforwarding on my routeur and to what?
I've been trying to achieve exactly that for a week now and none of my attempts load at all.
Is there a resource or YouTube guide explaining all this so I actually know what I''m doing?