Delegated DNS on LAN? How to properly setup reverse proxy?

Below is a very rough outline of my home network. I have 2 separate SSID networks spanning the house from the 2 WAPs set in Dumb AP mode. Both Itus Boxes are running OpenWrt on the 5.15 kernel from master (source built), the R8000 and ER10x are running stock Firmware.

The ER10x/R8000 are in transparent bridge mode.


I have a FQDN and the authoritative DNS held by Google as my registrar. Because it's Google Domains, I cannot use DNS-01 ACME certs unless I do it manually by hand every 3 months. I cannot move the DNS to another provider.

Currently: is A-record pointed to the gateway Itus box's WAN port on the public IP, updated by DDNS.

I am looking for the best/most feasible way to expose the servers under the second Itus box (nexus) so that it fully supports SSL certs from those boxes. In particular, BitWarden has been a huge pain because anything hinky with the certs and it'll display the website, but not actually log in (it re-directs to various docker container ports local to the bitwarden box I believe)

Currently, I'm just port-forwarding 80/443 thru Gateway and Nexus to the Bitwarden box, and that seems to be working, but I'd rather do something like a reverse proxy on the Nexus box by hostname so I can put more than 1 webservice behind the nexus box without trying to play the port juggle.

Ideally, I'd also be able to use ACME LE certs, wildcard'd. Delegated DNS on nexus?

I'm just starting to seriously get into this aspect of networking, so any help anyone can provide would be appreciated!

You need a static public IPv4 address if you want to run a public name server at home. You can run a hidden master but then you'll need a static IPv6 address, and use for example Hurricane Electric DNS slaves as your public servers which you delegate your subdomain to. Without a static IPv4 or IPv6 address then you can still use Hurricane Electric DNS as master, instead of running it on nexus.

Is there a reason I couldn't setup the NS record the Google DNS side to point at (which CNAMEs to, which is set via DDNS on gateway). I have access to port 53 from the ISP (along with every other port, it seems). I could port-forward WAN:53 on gateway to WAN:53 on nexus, but I'm not sure I'm fully prepared to try and host a publicly exposed DNS. So, I'm looking for other options.

NS records must reference address records (A and AAAA), you can't use CNAME.

1 Like

So I would have to use the A Record on the DDNS ( Google's DDNS gives me A records (potentially more than one, although it was one last time I checked).




In any case, it's good info to know, but I have side-tracked us.

I was considering nginx as a reverse proxy on nexus. I can just forward 80/443 from gateway to nexus as I don't currently have anything else needing those ports elsewhere on the network. Which is when I ran into a wall with DNS-01 certs (and led to the original question).

I should state my intended goal and just let you all help me get there :smiley:

The goal is to have 2 or 3 servers accessible from the public under nexus, involving web services (for now) on 80/443.

I can publicly set and as CNAME to 80/443 on the WAN of gateway gets forwarded to nexus