Which DNS config is needed for NGINX Proxy Manager inside a container?

I've got NGINX Proxy Manager (NPM) as docker container listening at (http) and (https). There's also a Heimdall server at

My goal is to access Heimdall at https://heimdall.myserver.lan instead of https://myserver.lan:8444/.

Inside NPM I added a Proxy Host. When I click on http://heimdall.myserver.lan/ the browser says "Server not found."

Of course tcpdump showed NXDOMAIN because the subdomain was unknown. Therefore, I added a new hostname in "Network" -> "DHCP and DNS" -> "Hostnames" which added this config to /etc/config/dhcp:

config domain
option name 'heimdall.myserver.lan'
option ip ''

(spaces not shown correctly)

Now the browser can resolve the server at http://heimdall.myserver.lan but it shows the content of port 80, the local Apache.

How can I add a wildcard subdomain like *.myserver.lan pointing to or :8184? Do I have to add each subdomain explicitly, because some services are (yet) HTTP, and others are HTTPS?

I also got AdGuard Home running in OpenWrt at I recently read that rDNS would be enough since is my only LAN. However, I added


as Upstream DNS servers, pointing to dnsmasq on OpenWrt itself in order to resolve local hostnames.

Any help will be appreciated.

Update: After reading the DNS and DHCP doc I appended option port '8184' to the dhcp config but this didn't change anything. I launched a new browser in private mode to bypass caching.


so your openwrt related question is how to add wildcard subdomain dns entry, right? in luci you'll find the Addresses section:

/myserver.lan/ will do the trick see https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html.

not sure where you read exactly but option port is for configuring DNS listening port. I don't think you can add a port option to a dhcp section.

lastly, this is not strictly owrt related though: your NPM configuration. your NPM is listening on 8183 / 8184 how a browser would know that? if you specify this https://heimdall.myserver.lan in a browser (any browser) it will automatically translate to https://heimdall.myserver.lan:443 due to https default port is 443. you must tell the browser if you are not using default port, i.e. https://heimdall.myserver.lan:8184 so it will go to your NPM (as now all myserver.lan domain and its subdomains will resolve to on the correct port NPM is listening.

are you using this https://github.com/NginxProxyManager/nginx-proxy-manager? it is not talking about alternative ports, exactly the reason how you want to use, i.e. publishing 80 and 443 will take care to have the normal browsing experience (no explicit port).

Thanks, I added the address in DHCP and DNS -> General Settings and removed the Hostname a created earlier at DHCP and DNS -> Hostnames.

Thanks for the hint to the wrong option port. I just read the portion about -A, --address.

The NPM doc states, that I should map the ports as 80:80, 81:81 and 443:443. I always thought this was an example, but maybe it's not.

So I stopped apache at :80 and reassigned the NPM container to 80:80, 8184:443 and 8185:81. Unfortunately I cannot assign 443:443 because another important container is already mapped as 443:443 (baikal).

Now the browser cannot resolve the name again. Pinging heimdall.myserver.lan creates NXDOMAIN output.

I understand this is not only an OpenWrt related issue. I appreciate any help. Feel free to ignore all non openwrt related questions. This issue is bothering me for a while. It sounds like it should be something very easy and basic, the NPM doc is pretty straightforward, but I struggle.

A tutorial would be a great help. Do you know any tutorial fitting my problem?

did you flush dns cache on your client pc?

1 Like

is not the point having a reverse proxy (NPM in your case) to hide all hosts behind the proxy? why don't you put all your host containers to an internal network and only allow traffic via proxy? i.e. proxy would have two networks, one connecting to world, the other to internal hosts, and all hosts are only connecting to internal network?
or why don't you use another ip address for your baikal container?

I appreciate your time and effort to help, but please don't make things more complicated than they are. Do you know a good tutorial/how to page for my initial problem or for the new things you are suggesting? Or could you express a sentence describing my problem accurately? I can't express it better than "It's just a resolving problem. Something's wrong with my DNS settings."

It was hard to get baikal running, I didn't manage to run it on another port.

I'm not sure if it matters if I flush the DNS cache on my Windows client, because I can see the tcpdump on my OpenWrt router with tcpdump -i eth0 host and port 53 where .30 is my client.

Let me try something. I just flushed the DNS cache on Windows which should also flush it on WSL. Pinging my server from Windows leaves the tcpdump blank, so I'll use WSL. Here is the condensed output:

# ping -c 1 myserver.lan
IP mywindows.lan.56881 > myrouter.53: 4578+ AAAA? myserver.lan. (30)
IP myrouter.53 > mywindows.lan.56881: 4578 0/0/0 (30)
IP mywindows.lan.56881 > myrouter.53: 63733+ PTR? (44)
IP myrouter.53 > mywindows.lan.56881: 63733* 1/0/0 PTR myserver.lan. (70)

But pinging heimdall.myserver.lan or invalid.myserver.lan ca't be resolved, despite the fact that I added /myserver.lan/ into the General Settings in DHCP and DNS as you suggested:

# ping -c 1 anything.myserver.lan
IP mywindows.lan.56881 > myrouter.53: 42339+ AAAA? anything.myserver.lan. (39)
IP myrouter.53 > mywindows.lan.56881: 42339 NXDomain 0/0/0 (39)
IP mywindows.lan.56881 > myrouter.53: 6932+ PTR? (44)
IP myrouter.53 > mywindows.lan.56881: 6932* 1/0/0 PTR myserver.lan. (70)
IP mywindows.lan.56881 > myrouter.53: 42339+ AAAA? anything.myserver.lan. (39)
IP myrouter.53 > mywindows.lan.56881: 42339 NXDomain 0/0/0 (39)
IP mywindows.lan.56881 > myrouter.53: 42339+ AAAA? anything.myserver.lan. (39)
IP myrouter.53 > mywindows.lan.56881: 42339 NXDomain 0/0/0 (39)
IP mywindows.lan.56881 > myrouter.53: 42339+ AAAA? anything.myserver.lan. (39)
IP myrouter.53 > mywindows.lan.56881: 42339 NXDomain 0/0/0 (39)

Just for testing I added heimdall.myserver.lan in Windows' /etc/hosts. Now of course the browser can resolve heimdall.myserver.lan and NPM works - with a minor port issue still being there.

So for now forget about ports. How can a subdomain be resolved? Just for reference, it's so easy with a domain provider's DNS management page:

hm, it is not me making your setup complicated. good luck to you.

I'm sorry, you obviously misunderstood my sentence. You are bringing up different solutions involving two networks or even other IP addresses (ranges?). If you think this is the only solution at hand I'm willing to read tutorials about that. But I guess NPM should be easier to set up (and with that, subdomains in general).

Quote from https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#a_and_aaaa_rr

Return on query domain home and subdomain *.home.

This is exactly what I need. The solution adds list address '/myserver.lan/' in the config dnsmasq section. Which is unfortunately what I already did after your first reply with no change. Yes, I restarted dhcp.

Now I use nslookup heimdall.myserver.lan and still see NXDOMAIN at the tcpdump.

Update: Since I'm going to update OpenWrt anyway and it can only be done with a completely new installation on my device, I'll activate the wildcard subdomain before I restore my whole configuration. I'll post again after that, which will be in a couple of days.

Update 2 Wait, it worked with CNAME.


config cname
        option cname 'heimdall.myserver.lan'
        option target 'myserver.lan'

So why does this work, heimdall can be resolved, but list address '/myserver.lan/' didn't? I will maybe see after the new installation.