This is still the header! Main site

Using DNS for LAN IPs

2022/01/06
This is post no. 63 for Kev Quirk's #100DaysToOffload challenge. The point is to write many things, not to write good ones. Please adjust quality expectations accordingly :)

Remembering IP addresses is not especially much fun. (... still more fun than remembering IPv6 addresses though.) Furthermore, virtualhosts don't really work with IP addresses (... they also shouldn't really exist, but that's besides the point.) So, therefore, people use DNS to give these things names.

Setting up DNS for your internal network (e.g. your 192.168 subnets, or a Tailscale network) might be somewhat tricky though. Typically, you'd set up the LAN DHCP server as the authoritative one for clients on the LAN; solutions like e.g. Unbound DNS for OPNSense, which would neatly update a DNS zone of your choice with the hostnames it was handing out via DHCP. Tailscale itself has a solution along these lines.

Of course, this won't work if clients are doing DNS over HTTPS and want to get around your local resolver. Or if you set up your VPN connection wrong. Or... for various other reasons.

A relatively simple solution

... is to just stop making your local DNS names local only. Make them visible from everywhere!

If you have a domain name, you can just add records to it, e.g. your-local-server.your-domain.com could have an A record, pointing to 192.168.42.42, which happens to be the server in question. You can set up additional virtualhosts by adding CNAME records, pointing to the same machine name. That way if the IP address changes, you'd only need to edit one record.

(... if you don't have a domain name... you should get one because they are neat? but I'd assume someone will let you do all this on a subdomain for free, too, probably.)

You can actually do all this by hand. Whenever you registered your domain name has a UI for this. And even if your IPs are handed out via DHCP... they don't tend to change a lot. (With Tailscale, they definitely won't change a lot.)

Of course, these addresses won't work outside of the local network they're designed to be used in. We don't particularly care though!

Security?

You probably shouldn't be doing this if you're praising yourself for being a Very Secure Organization. Main reason number 1 being: you're reading a post written by someone who is not even a security expert; you probably shouldn't just believe anything that it says.

However... things aren't too bad, really. To begin with, you aren't even really exposing your internal IPs to anyone: they'll only be able to get them if they know the name of the machines. Being able to take that step might help an attacker, but... it's not a lot.

Of course, DNS queries now travel outside of your home network, too, so people might do some weird things to them. But then... you might be able to start using things like DNSSEC this way (since your "internal" IPs are now served by a Fancy Official DNS Server that might have all these things set up), so you might even gain some security doing this.

... comments welcome, either in email or on the (eventual) Mastodon post on Fosstodon.