Selfhosted @lemmy.world fritter @lemmy.world 1 yr. ago

Fully local nameservice

I'm finally starting to install local web apps that my wife/kids would be interested in, and I know it has to be super easy or they're never going to go near it. Most everything is running on my Synology on different ports, with absolutely nothing exposed to the outside world, and I'd like to run local DNS and proxy so everything is available LAN-only with an easy hostname - plex.local, paperless.local, etc. (If we want remote access I'll just run Tailscale.) I'm already running PiHole, and I'm assuming if I poke around I can add local names in there, but has anybody else that's done this have any suggestions for setting things up?

18 comments

I recommend using a real domain name so you can pull SSL certificates that don't require the visitor to accept a self-signed certificate.
- Seconded! I own a domain for our emails (no public Web presence) and use a subdomain (that's not publicly hosted, the names only exist in my pihole) which allows me to use foo.l.mydomain.com for each service. Since the names don't resolve publicly you'll have to use dns verification for let's encrypt, but that's not too hard to do.

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters	More Letters
DNS	Domain Name Service/System
HTTP	Hypertext Transfer Protocol, the Web
HTTPS	HTTP over SSL
IP	Internet Protocol
PiHole	Network-wide ad-blocker (DNS sinkhole)
Plex	Brand of media server package
SSL	Secure Sockets Layer, for transparent encryption
TLS	Transport Layer Security, supersedes SSL

8 acronyms in this thread; the most compressed thread commented on today has 14 acronyms.

[Thread #23 for this sub, first seen 11th Aug 2023, 06:55] [FAQ] [Full list] [Contact] [Source code]

Pihole can do this out of the box by going to the dns settings and adding a host. Alternatively, if your pihole is also your dhcp provider, you can set the hostname on each and pi hole should resolve it.

https://thiagowfx.github.io/2022/01/pihole-add-custom-dns-mappings/
I would suggest avoiding .local as a tld as it's used for discovery. .lan is shorter to type!
I use caddy with PiHole. The Caddyfile is easy to set up with your hostname which will be automatically redirected to HTTPS.
The issue will be the annoying (but useful) alert of a selfsigned certificate if you don't own the domain.
So I have a cheap domain for my local network and configure caddy to do the acme challenge via DNS instead of HTTP.

I can give you more details tomorrow.
I don't use a pihole, but I have a pi with my favorite distro acting as server, and I use dnsmasq for what you mention. It allows to set the machine as the nameserver for all your machines (just use its IP in your router DNS conf, DHCP will automatically point connected machines to it), and then you can just edit /etc/hosts to add new names, and it will be picked up by the nameserver.

Note that dnsmasq itself does not resolve external names (eg when you want to connect on google.com), so it needs to be configured to relay those requests to an other nameserver. The easy way is to point it to your ISP nameservers or to public nameservers like those from Cloudflare and Google (I would really recommend against letting them know all domains you're interested in), or you can go the slightly more difficult way as I did, and install an other nameserver (like bind9) that runs locally. Gladly, dnsmasq allowed to configure its relay nameserver to be on something else than port 53, which is quite rare in dns world. Of course, if you're familiar with bind9, you could just declare new zones in it. I just find it (slightly 😂) more pleasant to work with /etc/hosts.
- A pihole runs dnsmasq also so adding hosts entries and restarting the service accomplishes the same thing as adding entries via the webUI
  
  Oh, ok. Thanks for letting me know. 👍️
If you use NGINX proxy manager you’ll also be able to use a FQDN with SSL for your local services without them being exposed to the internet. It means your local users won’t see the scary insecure page when they access services.

You can even set your public dns records to have Plex.yourdomain.tld point to the local IP of NGINX - removing the need for local dns entirely. That way if you do need to access a service outside with tailscale; their subnet router feature will just work out of the box.

Porkbun are still offering a free .dev or .app domain if you don’t already have one: https://porkbun.com/event/freeappdevdomain
- Yep, I use cloudflare for DNS and just have 2 records configured there:
  
  A record - example.com points to 192.168.1.100
  
  CNAME - *.example.com is an alias of example.com
  
  The IP address above being the address of Nginx Proxy Manager, where I configure whatever subdomains I need for my local services.
  
  It has never occurred to me to create a wildcard entry for sub domains….
I have setup my own DNS locally with unbound(1). It blackholes domains, but I also use it as a caching + forwarder to my external DNS over TLS (for improved privacy regarding my ISP). I don't do it, but unbound let's you add local data manually to provide direct answers without forwarding it:

local-zone: "local." static local-data: "plex.local. 10800 IN A 10.0.0.3" local-data: "paperless.local. 10800 IN A 10.0.0.4" local-data: "pihole.local. 10800 IN A 10.0.0.53" [...]

Then you can either configure it to include a generated list of domains to explicitly NXDOMAIN, or just forward everything to the pihole:

forward-zone: name: "*" forward-addr: 10.0.0.53
- I don't know about unbound, but bind can be configured to talk with dhcpd and allow clients to set their own hostnames
  
  In bind.conf allow-update { key "rndc-key"; };
  
  In dhcpd.conf
  
  ddns-update-style interim; ddns-updates on; ddns-domainname "lan."; ddns-rev-domainname "in-addr.arpa."; key rndc-key { algorithm hmac-md5; secret "secret"; };
  
  No messy tables to maintain.
  
  That's interesting. Unbound doesn't support that afaik. The local data feature was requested by OP so I just provided a solution for it.
As recommended by others, you might want to use a real public domain that you own, and a reverse proxy for split horizon DNS. I personally run Bind9, Unbound, and PiHole as my DNS servers. Bind9 handles split horizon, so if I request my domain internally it gets routed through Bind. Then bind hands it off to PiHole for adblocking, and PiHole makes requests through Unbound set up as a recursive DNS server which doesn't rely on any external DNS. I also use Traefik as a reverse proxy for all of my services. My set up is more complicated than necessary, and if you want just a few local domains, PiHole + a reverse proxy is plenty good for your needs.
It's fairly easy to add local domain names with pihole, so presuming all devices on your network are using it, you shouldn't have a problem.
Here to ask questions too. Is it necessary to add stuff to etc/hosts for this to work man only? Do I have to do portforwarding on my routeur and to what?

I've been trying to achieve exactly that for a week now and none of my attempts load at all.

Is there a resource or YouTube guide explaining all this so I actually know what I''m doing?

You've viewed 18 comments.