First time poster, although I have lurked here for a while. Apologies for any stupid questions in advance...
I'm in the middle of repurposing an old desktop as a homeserver to host several services. However, I'm fairly new to all of this and more or less just following along some pieces of code that I found on the internet. So, I definitely don't really know what I'm doing and I'd like to ask a few questions on how to do certain things and whether I got things right.
I own a domain name and have set up traefik to provide access to several services (right now gitea, portainer and authelia, plan to add others). I definitely see the use case of having some services being available on my lan, while access to others could be global. AT the same time, I like the ability to access all my services through a FQDN and having SSL certificates from Let's encrypt.
On my network, I have dnsmasq running on my (Ubiquity edge)router, but until now I have only used that to assign hostnames to my NAS and my new homeserver.
For my questions:
- Is this a reasonable set-up in the first place, or should I not be running dnsmasq on my router? In the future I might consider something like AdGuard, but the idea of having a DNS server on my router seems to make some intuitive sense, as 1) this device is reponsible for my network's routing anyway and 2) by using my router for such a critical feature, I'm not introducing additional points-of-failure (e.g. if the machine on which the DNS server is located goes down, but my router isn't, I still might not have internet functioning, whereas if my router is down, internet isn't working anyway).
- Should I add entries to dnsmasq to point the local only services to my homeserver? And is adding these DNS entries something I should do in any case, also for my public services (for example in case my internet connection goes down)? Is there a way to automatically discover these services and register them so that I don't have to maintain entries manually?
- Is there any additional traefik configuration required to only allow local network access (IP whitelisting?) Will the local services remain having an SSL certificate in a set-up like this?
I am running BIND9 to achieve this very thing.
You can set up different "views" in BIND. Different zonefiles are served to different clients based on the IP address.
I have an external view that allows AXFR transfers to my public slave DNS provider, and an internal view for clients accessible over my VPN. I use DNS-01 challenges to issue valid Let's Encrypt certificates to both LAN-facing and public-facing services.
My DNS server is running on my VPN coordination server, but, if I was not doing that, I'd run it on my router.
I do not use dnsmasq, so I am not sure if it supports split-view DNS, but if it does not, you can try coredns as a lightweight alternative.
Thanks, this does sound interesting. I don't know anything about bind or axfr transfers, but I'll read up on it!