Split DNS... is it my best option? Accesing a web server exposed to internet from the local LAN

I have a dhcp router that distributes IPs under a local lan named intranet.

I have a server (server.intranet) that provides a http and https service to provide some web pages, and which is given a static local IP address (192.168.1.253).

The web server is accesible through the internet as I have http/https port forwarding in the router.
It can be accessed from internet as:
https://www.mydomain.tld

I have wildcard certificates for *.mydomain.tld installed in the web server.

The problem I had till now was that I could not access the web server from the local lan using https://www.mydomain.tld (I was sent to the router web interface, as the DNS from the outside of my lan resolved it as the external dynamic IP adrress of the router).

Recently I installed openwrt, and I discovered that I could use what i think is called split DNS.

I configured openwrt with some dns A records:

www.mydomayn.tld pointing to the server lan address 192.168.1.201

The DHCP dns servers point to my openwrt router and the router redirects unresolve DNS queries to internet.

Now I can reach www.mydomain.tld from the local lan, ando other queries to other machines that are not in the local net (like server2.mydomain.tld) are solved too by the dnsmasq software in the openwrt and redirected to the external ip addresses.

So it seem all is working correctly for me.

But is this the correcto way to configure the router to get access to a web server in the local lan that is exposed to internet through the same url that is used to access it from the outside?

At least in my opinion, it is robust, understandable, maintainable, doesn’t involve “hacks”, and works, so yes, an excellent approach.

I do exactly this for my Plex Media Server to avoid tromboning data from LAN clients while providing external access via my router.

Of course if we had better IPv6 adoption this wouldn't be necessary

OK, thank you.
Yes it seems a clean approach, I do not have to install hacks, I do not have to maintaint dns records in two dns servers (the dns server in the internet and the server in the router).

I had a similar aproach in DD-WRT, but it was way more cumbersome.

I think that the dns in dd-wrt did not resend dns queries for hosts that were unkown locally.

I had DHCP configured to make all leases under mydomain.tld domain.

Then I had to configure all the static addresses of the local web server to point to the IP in the local lan.
But I had to configure all DNS entries of the server addresses that reside outside the local lan (in internet).

Each time I changed a DNS entry in the DNS server of the internet domain provider, I had to add it to the router, as with that approach the router did not seem to resolve any query of a host in mydomain.tld that it did not have in the local DNS database.

Now it works painless, but I was not sure if it had some shortcomings.

I only would like to have CNAME entries in openwrt (other type of registers like txt or mx are not needed for me).

My ISP does not seem to provide IPv6 address for my router, either, nor IPv6 support for now.

But I don't know how should I configure the router in a IPv6 environment in order to external hosts ont being able to address my lan resources, if all lan resources have global addressed IPv6s.

I suppose you can configure the router to block al incoming IPv6 traffic except for some specific IPv6 addresses.
May you point me to a page that explains how to configure the router under IPv6 environment in openwrt?

I have read the documentation but it is to techy for me.

My ISP router does not support IPv6 I think (and I cannot substitute it for my openwrt router, as it is under complete control of the ISP).

When the time comes, it’s really no different than IPv4:

• Allow forwarding the specific hosts/ports you want
• Block everything remaining

OK, so the only difference is that you do not have to configure the internal ip of the redirection, as the IPv6 is globally addresable.

Would you be still able to redirect ports under IPv6 (usefull under IPv4 when the port is already used by other service).

Yes, you could, but one of the big things about IPv6 is getting rid of the major hack of NAT to private address space.

It's hard to come up with any compelling use case, since you just connect to the IPv6 address and port where the service is provided. There isn't really any such thing as "the port already used" since each address has all ports available. If you really have something crazy, you can just add another address to that host, and use that.

Edit: It really isn’t “crazy”. Physical boxes/interfaces running multiple instances of various services on multiple addresses is “standard operating practice” for advanced users.

Yes, you are right, you can add another IPv6 address, I had not thought of it.
I don't know if that eats more resources that may make your device slower, but adding just a couple of them would not hurt.

I was thinking of a web server in a nas that uses the http ports for its own purposes (accesing web interface) or things like that.

A couple dozen bytes in the addressing and routing tables aren't going to be a noticeable negative. Little doubt any minuscule change is more than offset by getting rid of NAT and its storage and CPU overhead.

How did you do it? Do you forward app.plex.tv to a local address? Do you have some sort of proxy on the same machine as PMS?

Okay, I run IPv6 too, so this is a little round the houses:

• I own a domain, "osx.ninja", and keep entries for my hosts up to date with the hosting company
• PMS runs on a Synology diskstation, imaginatively title "diskstation.osx.ninja" in DNS
• its A record is that of my router's WAN interface while it's AAAA record is its own IPv6 address
• the router port forwards (manually, not using UPnP, due to the high CPU bug with PMS and miniupnpd) tcp4:32400 to the server's LAN IP address for remote access
• dnsmasq forwards all local queries to dnscrypt-proxy v2, and from there upstream to whatever DNS provider I choose

At this point, if I fire up a Plex client on a remote machine it will talk to app.plex.tv, login and get the details necessary to talk to my server over the Internet, via the router's WAN interface and port forward, over IPv4, or directly over IPv6.

The problem, obviously, is that any LAN client trying to connect to Plex on diskstation.osx.ninja over IPv4 will resolve to the public A record (the router's WAN address) and trombone back in again (IPv6 capable clients should go direct). (This also applies to any other service run on that server over IPv4, not just PMS)

The workaround I implemented wasn't to do a full blown split DNS, with separate views and all that malarky, but simply to ensure that devices on my LAN with an RFC1918 address that also had my router's WAN address in public DNS (i.e. "diskstation.osx.ninja" in this case), have a manual entry in /etc/hosts on the Openwrt box with their LAN address in. dnsmasq is configured by default to use /etc/hosts as a datasource before it goes upstream, so those local entries will always trump whatever's in public DNS.

FYI, don't attempt to run PMS on an IPv6 capable network unless you know what you're doing. It's very badly documented, doesn't work properly, and is not supported by Plex.

This is how I do it under IPv4.

I have a domain mydomain.tld.

At home I have dynamic IP addresses.
My router (and my NAS) is able to configure dynamic ip addresses on several providers, dyndns.com for example.
So i configure my router to register its IP address with the dyndns service updating the corresponding A record (may be AAAA to to configure IPv6) with a name like myownname.dyndns.com.

In the dns of my domain registrar, I create a CNAME record (to have a more easy to remember name) called home and with myownname.dyndns.com as the target.

You can create as many cnames as you want with the same target (server.mydomain.tld) in order to have for example several virtual web servers installed in the NAS/server.

So when you query de dns for home.mydomain.tld it forwards a query to the DNS in dyndns.com and responds with an alias for myownname.dyndns.com and the IP address provided by dyndns.com (the last dynamic ip address updated by the router).

At home, I have a openwrt router with dhcp activated.
It serves the names under a local domain called home.
The NAS has a static lease with name server and the local ipaddress (192.168.1.200 for example).
You can stablish leases for IPv6 addresses too if you want.

So at home you access the server locally through server.home.

But this way you cannot access the outside name home.mydomain.tld or server.mydomain.tld as the dns server of your domain registrar would respond with the wan address of your router.

To be able to access the server from inside and outside with the same name (home.mydomain.tld) I create a dns record in the openwrt router (which is the dns server in my local lan, configured using dhcp).

An A record with the IP 192.168.1.200 and the name home.mydomain.tld and another one with the same address and the hame server.mydomain.tld.

I would had preferred a CNAME to point to server.home, but it seems that dnsmasq does not provide cname registers (a pity).

Thus home.mydomain.tld and server.mydomain.tld are resolved to 192.168.1.200 when queried from inside the home lan (resolved by the dnsmasq server in the openwrt router).
From the outside it is resolved to the dynamic wan address of the ISP router, by the DNS server of my domain provider.

if a query for other name like outside.mydomain.tld is made from inside the home lan, as the dnsmasq server in the openwrt router has no register for it, it forwards the query to internet and is solved by the dns server in my domain provider.

Thus I do not have to duplicate entries in two dns servers and keep them in sync, one with local address and the other with the external address.
I just create the records in the home lan for the services that are provided from a server inside the home lan.

Then you have to create the port redirections in your ISP router as usually, as WiteWulf said, depending in the ports that the service you want to provide from within your lan uses.

Be carefull as, opening ports would open sercurity holes to your lan.

It is usually a better choice to create a VPN to access you home lan resources, and only open the ports for the services you want to be public and provided from your local lan.