TLD on LAN only

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi there!

My knowledge of DNS is limited and that of a beginner, at best.

My current configuration is pretty simple:
WAN (DHCP, IPv6 disabled) > LAN (DHCP, private DNS, IPv6 disabled) > 3 subnets / VLAN's.

/etc/config/dhcp (with some static leases from different subnets)

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'
        option add_local_fqdn '3'
        option domain '<private_domain>.lan'
        option local '/<private_domain>.lan/'

config dhcp '<regular_lan_if>'
        option interface '<regular_lan_if>'
        option start '100'
        option limit '150'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        option leasetime '2m'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp '<mgmt_if>'
        option start '100'
        option limit '150'
        option interface '<mgmt_if>'
        option leasetime '2m'

config dhcp '<storage_if>'
        option start '100'
        option limit '150'
        option interface '<storage_if>'
        option leasetime '2m'

config host
        option name 'kvm'
        option dns '1'
        option ip '192.168.1.200'

etc...

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd0c:289b:50bc::/48'

config interface '<regular_lan_if>'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option delegate '0'
        option ifname 'eth0.1'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'
        option enable_vlan4k '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2t 3t 4 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 5t'

config switch_vlan
        option device 'switch0'
        option vlan '10'
        option ports '1t 2 3 4t 5t'

config interface '<mgmt_if>'
        option type 'bridge'
        option proto 'static'
        option ipaddr '10.1.1.1'
        option netmask '255.255.255.0'
        option delegate '0'
        option ifname 'eth0.10'

config switch_vlan
        option device 'switch0'
        option vlan '11'
        option ports '1t 2t 3t 4t 5t'

config interface '<storage_if>'
        option type 'bridge'
        option proto 'static'
        option ifname 'eth0.11'
        option ipaddr '10.11.0.1'
        option netmask '255.255.0.0'
        option delegate '0'
        option mtu '9000'

My current config is serving private DNS to all my subnets and querying upstream DNS for everything else.
I want to purchase a TLD and set that up instead of the private domain, but I would like to do that on a private IP on a DNS server on the local network. I also don't want my (privately setup) TLD domain to be queried from the internet, but still be able to query upstream DNS for everything else.
The DHCP would still be served by OpenWrt.

Why TLD?
For (real) SSL through WILDCARD signed certificates by a service like "Let's Encrypt", rather than self-signed certificates that need to manually be setup on each device and/or each browser.

Why separate DNS server and not dnsmasq?
Because dnsmasq as a OpenWrt package is pretty inflexible and for better integration with Directory Services, that I want to run on the same server as the DNS.

To the point, my questions are:

  1. Do I need to disable DNS role for dnsmasq on LAN with localuse="0" and port="0"? If so, would my 3rd party DNS server be able to query the upstream DNS, considering port 0?

  2. Can the 3rd party DNS server design work with some package like acme and a service like "Let's Encrypt", while not being query-able from the internet? And if yes, can a guide/tutorial/config example (of acme) be provided?

  3. Considering I don't intent to publish anything on the internet (thus not setting up any NS with my registrar), would a parked domain work with WILDCARD certificate issuing service?

Thanks in advance for your time and help!

2

I doubt you can buy a TLD. Maybe a second level domain.

You don't have to. You may point dnsmasq to query the internal server for that particular domain and the lan hosts will keep querying dnsmasq for everything.

No, letsencrypt must be able to resolve the hostname that you are trying to register. Otherwise everyone would be able to create a certificate for a hostname they don't manage.

I don't see why not. As long as you pay them what they request, you can send the certificate signing request and you get back the public certificate and the certificate authority.

1 Like