First time poster, although I have lurked here for a while. Apologies for any stupid questions in advance…
I’m in the middle of repurposing an old desktop as a homeserver to host several services. However, I’m fairly new to all of this and more or less just following along some pieces of code that I found on the internet. So, I definitely don’t really know what I’m doing and I’d like to ask a few questions on how to do certain things and whether I got things right.
I own a domain name and have set up traefik to provide access to several services (right now gitea, portainer and authelia, plan to add others). I definitely see the use case of having some services being available on my lan, while access to others could be global. AT the same time, I like the ability to access all my services through a FQDN and having SSL certificates from Let’s encrypt.
On my network, I have dnsmasq running on my (Ubiquity edge)router, but until now I have only used that to assign hostnames to my NAS and my new homeserver.
For my questions:
- Is this a reasonable set-up in the first place, or should I not be running dnsmasq on my router? In the future I might consider something like AdGuard, but the idea of having a DNS server on my router seems to make some intuitive sense, as 1) this device is reponsible for my network’s routing anyway and 2) by using my router for such a critical feature, I’m not introducing additional points-of-failure (e.g. if the machine on which the DNS server is located goes down, but my router isn’t, I still might not have internet functioning, whereas if my router is down, internet isn’t working anyway).
- Should I add entries to dnsmasq to point the local only services to my homeserver? And is adding these DNS entries something I should do in any case, also for my public services (for example in case my internet connection goes down)? Is there a way to automatically discover these services and register them so that I don’t have to maintain entries manually?
- Is there any additional traefik configuration required to only allow local network access (IP whitelisting?) Will the local services remain having an SSL certificate in a set-up like this?
You must log in or register to comment.
Why not just like use pihole to do DNS?
Several reasons:
- For now I am not looking to do ad-blocking and if I do, I’m not sure if I want PiHole or AdGuard.
- Instead, I just need a DNS server. As far as I can tell, PiHole is based on dnsmasq, so I don’t think I gain extra functionality that I want from it.
- As mentioned in my post, by introducing PiHole, I will create (potentially) another point of failure when it comes to my internet access.
- I assume that the performance of PiHole as DNS server will be worse than running dnsmasq on my router. As far as I can tell, with PiHole I have to configure my router to route all DNS request through PiHole, which will then go through the router again externally (where applicable). So there’s an additional roundtrip from router to PiHole in this setup?
I am running BIND9 to achieve this very thing.
You can set up different “views” in BIND. Different zonefiles are served to different clients based on the IP address.
I have an external view that allows AXFR transfers to my public slave DNS provider, and an internal view for clients accessible over my VPN. I use DNS-01 challenges to issue valid Let’s Encrypt certificates to both LAN-facing and public-facing services.
My DNS server is running on my VPN coordination server, but, if I was not doing that, I’d run it on my router.
I do not use dnsmasq, so I am not sure if it supports split-view DNS, but if it does not, you can try coredns as a lightweight alternative.
Thanks, this does sound interesting. I don’t know anything about bind or axfr transfers, but I’ll read up on it!