Most active commenters
  • ZeroSolstice(3)

←back to thread

My Own DNS Server at Home – Part 1: IPv4

(jan.wildeboer.net)
220 points speckx | 12 comments | 05 Sep 25 19:08 UTC | HN request time: 1.314s | source | bottom
1. n4bz0r ◴[05 Sep 25 23:28 UTC] No.45144931[source]
> I really should use the official .internal TLD (Top Level Domain) for my homelab network, but I decided against it. This introduces the risk of name resolution problems, should someone offer a public .jhw TLD in future. It’s a risk I am willing to accept in exchange for using a 3 letter TLD at home. Don’t be like me! Use .internal instead. With that out of the way, let’s continue.

Why not .lan? The key word is official?

replies(4): >>45145040 #>>45145079 #>>45146363 #>>45147234 #
2. moduspol ◴[05 Sep 25 23:44 UTC] No.45145040[source]
My preference is to register a publicly resolvable domain and then just only use it internally. Then you can still get publicly trusted TLS certificates for it, in case you want them.

Doesn’t stop you from using your own private CA, either, but at least you have the option.

replies(2): >>45145766 #>>45145824 #
3. JdeBP ◴[05 Sep 25 23:51 UTC] No.45145079[source]
The key concept is learning from the mistakes of others, instead of repeating them. The past several decades provide numerous examples of people picking "internal" top-level domain names that they were 100% positive no-one else would ever use … until someone else did, sometimes as a result of the exact same thinking.

* https://jdebp.uk/FGA/dns-use-domain-names-that-you-own.html

* https://news.ycombinator.com/item?id=45144631

You can find the case of dev. in particular discussed in umpteen places here on Hacker News over the years.

4. isaacdl ◴[06 Sep 25 01:34 UTC] No.45145766[source]
I do the same. You can still get neat 4-character domains for cheap in many TLDs (including .net, which just feels right for this purpose).
5. briHass ◴[06 Sep 25 01:44 UTC] No.45145824[source]
Given how modern browsers are increasingly hostile to long-lived, self-signed certs, I've resigned to paying the .com tax every year for a real domain. There's so many ACME clients now (e.g. HomeAssistant has a plugin), that it's fairly easy to have legitimate certs on internal devices. A side benefit is having a subdomain that can be used as a dynamic DNS record.

Cloudflare (and probably others) let you enter non-routable IPs into their DNS, so myhomeserver.mydomain.com can point to 192.168.1.45 on your LAN without having to run your own DNS/hosts.

replies(1): >>45149269 #
6. ZeroSolstice ◴[06 Sep 25 03:29 UTC] No.45146363[source]
I didn't see a specific RFC that reserved .lan however from the proposed standard RFC 8375 home.arpa is suggested.

https://datatracker.ietf.org/doc/html/rfc8375

replies(1): >>45154281 #
7. finaard ◴[06 Sep 25 07:04 UTC] No.45147234[source]
Why not a subdomain under one of the public domains he already has?

For interactive use you'd typically only use part of the domain anyway, with correctly set up search list. Also has the advantage of easily making some hosts available via IPv6 to the outside - or with split horizon DNS and a gateway host expose specific services, where inside connection directly goes to the specific host, and outside via a reverse proxy.

Overall he's just describing a typical simple internal DNS setup - from the title was expecting him to talk about how he got a stable authoritative DNS server for his public domain running at home (and how he got around the "two nameservers" requirement).

On the plus side, that made me realize that my current home connection _is_ stable enough to host one of my three authoritative DNS servers, which should save me about 7 EUR per month.

8. akerl_ ◴[06 Sep 25 13:51 UTC] No.45149269{3}[source]
Are they? Browsers treat long-lived self-signed certs pretty much exactly how they always have, from what I’ve seen: if you’ve trusted the cert in your system trust store, it just works. If you haven’t, you get a red warning page and have to click to proceed.
9. n4bz0r ◴[07 Sep 25 00:48 UTC] No.45154281[source]
> home.arpa is suggested

Thanks, didn't even know it existed.

> I didn't see a specific RFC that reserved .lan

There is no RFC AFAIK, but it has certainly seen some adoption over the past decade. Mikrotik devices use `router.lan` as a default domain name for their routers, for instance. Home labbers on YouTube seem to like to use `.lan`, too.

Would it be fair to think there is a chance `.lan` might get an RFC of its' own given the popularity? Or that's completely irrelevant in case with RFCs? Hard to tell what's the reasoning there - `.home.arpa` seems excessivly long and inconvenient.

Would be a real shame and a bummer if `.lan` ends up becoming public :')

replies(1): >>45155080 #
10. ZeroSolstice ◴[07 Sep 25 03:11 UTC] No.45155080{3}[source]
I agree it would be great to get some of the vendor pushed / common domains put into an accepted standard.

In my interaction with IETF standards they are created / implemented in two ways:

  1. They set the forward direction for a new technology before it is wide spread.
  2. They wait for a technology to become popular / accepted and start to set standards from that baseline.
Both are reasonable paths of implementation given how the pace of changes in technology.

I doubt .lan, .local, .home, etc will either become public or a standard just based on existing devices that default to these domains and documentation or books that might reference them as example domains.

replies(1): >>45155839 #
11. aragilar ◴[07 Sep 25 06:17 UTC] No.45155839{4}[source]
.local is defined for mDNS
replies(1): >>45157276 #
12. ZeroSolstice ◴[07 Sep 25 11:30 UTC] No.45157276{5}[source]
Correct, which is why .local wouldn't become a TLD or part of a standard for home network reserved domains.