←back to thread

.INTERNAL is now reserved for private-use applications

(www.icann.org)
563 points joncfoo | 5 comments | 09 Aug 24 16:36 UTC | HN request time: 0.43s | source
1. xvilo ◴[09 Aug 24 21:34 UTC] No.41205561[source]
Any ideas on how you would run SSL/TLS on these set-ups?
replies(4): >>41205597 #>>41205600 #>>41206406 #>>41208111 #
2. the8472 ◴[09 Aug 24 21:42 UTC] No.41205597[source]
Either pin the appropriate server cert in each application or run your internal CA (scoped to that domain via name constriants) and deploy the root cert to all client machines.
3. rileymat2 ◴[09 Aug 24 21:42 UTC] No.41205600[source]
I think you can still run self signed, with a private CA/root cert?
4. jeroenhd ◴[10 Aug 24 00:03 UTC] No.41206406[source]
An internal certificate authority would probably be the easiest option. Combined with MDM/group policy, you could tell most devices in your network to set up a trust chain of your own. From then on you can automate access by running your own ACME server internally to automatically hand out certificates to local devices.

The automated setup probably isn't very secure, though. Anyone can register any .local name on the network, so spoofing hostnames becomes very easy once you get access to any device on the network. Send a fax with a bad JPEG and suddenly your office printer becomes xvilo.local, and the ACME server has no way to determine that it's not.

That means you probably need to deal with manual certificate generation, manually renewing your certificates every two years (and, if you're like me, forgetting to before they expire).

5. Hamuko ◴[10 Aug 24 08:22 UTC] No.41208111[source]
I just got myself a proper domain name. You can get a domain for pretty cheap if you're not picky about what you get. You could for example register cottagecheese.download on Cloudflare for about $5/year right now.

I have my domain's DNS on Cloudflare, so I can use DNS verification with Let's Encrypt to get myself a proper certificate that works on all of my devices. Then I just have Cloudflare DNS set up with a bunch of CNAME records to .internal addresses.

For example, if I needed to set up a local mail server, I'd set mail.cottagecheese.download to have a CNAME record pointing to localserver.internal and then have my router resolve localserver.internal to my actual home server's IP address. So if I punch in https://mail.cottagecheese.download in my browser, the browser resolves that to localserver.internal and then my router resolves that to 10.x.x.x/32, sending me to my internal home server that greets me with a proper Let's Encrypt certificate without any need to expose my internal IP addresses.

Windows doesn't seem to like my CNAME-based setup though. Every time I try to use them, it's a diceroll if it actually works.