(github.com)

246 points nh2 | 1 comments | 18 Oct 24 06:10 UTC | HN request time: 0.199s | source

Show context

ndsipa_pomu ◴[22 Oct 24 08:36 UTC] No.41912342[source]▶

I prefer to assign an external name to an internal device and grab a free SSL cert from LetsEncrypt, but using DNS challenge instead as internal IP addresses aren't reachable by their servers.

replies(9): >>41912368 #>>41912827 #>>41913126 #>>41913387 #>>41913720 #>>41913826 #>>41916306 #>>41917079 #>>41917804 #

DandyDev ◴[22 Oct 24 08:42 UTC] No.41912368[source]▶

>>41912342 #

I do this as well, but be aware that these external names you're using for internal devices become a matter of public record this way. If that's okay for you (it is for me), then this is a good solution. The advantage is also that you run no risk of name clashes because you actually own the domain

replies(7): >>41912424 #>>41912505 #>>41912544 #>>41912570 #>>41912671 #>>41912732 #>>41919325 #

magicalhippo ◴[22 Oct 24 09:08 UTC] No.41912505[source]▶

>>41912368 #

I decided to try split DNS to avoid leaking the internal IPs, but it turned out a bit more fragile than I imagined.

Especially Android is finicky, ignoring your DNS server if it doesn't like your setup. For example, if it gets an IPv6 address, it requires the DNS server to also have an IPv6 address, or it'll use Google's DNS servers.

It works now but I'm not convinced it's worth it for me.

replies(2): >>41912693 #>>41913504 #

1. capitol_ ◴[22 Oct 24 12:17 UTC] No.41913504[source]▶

>>41912505 #

Split DNS causes lots headaches, it also makes it really hard to root cause analysis of failures when they involve DNS.

↑

Just want simple TLS for your .internal network?