this post was submitted on 11 Aug 2023
20 points (91.7% liked)

Selfhosted

40198 readers
751 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I'm finally starting to install local web apps that my wife/kids would be interested in, and I know it has to be super easy or they're never going to go near it. Most everything is running on my Synology on different ports, with absolutely nothing exposed to the outside world, and I'd like to run local DNS and proxy so everything is available LAN-only with an easy hostname - plex.local, paperless.local, etc. (If we want remote access I'll just run Tailscale.) I'm already running PiHole, and I'm assuming if I poke around I can add local names in there, but has anybody else that's done this have any suggestions for setting things up?

top 18 comments
sorted by: hot top controversial new old
[–] stown@sedd.it 11 points 1 year ago (1 children)

I recommend using a real domain name so you can pull SSL certificates that don't require the visitor to accept a self-signed certificate.

[–] rentar42@kbin.social 2 points 1 year ago* (last edited 1 year ago)

Seconded! I own a domain for our emails (no public Web presence) and use a subdomain (that's not publicly hosted, the names only exist in my pihole) which allows me to use foo.l.mydomain.com for each service. Since the names don't resolve publicly you'll have to use dns verification for let's encrypt, but that's not too hard to do.

[–] Decronym@lemmy.decronym.xyz 10 points 1 year ago* (last edited 1 year ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
HTTPS HTTP over SSL
IP Internet Protocol
PiHole Network-wide ad-blocker (DNS sinkhole)
Plex Brand of media server package
SSL Secure Sockets Layer, for transparent encryption
TLS Transport Layer Security, supersedes SSL

8 acronyms in this thread; the most compressed thread commented on today has 14 acronyms.

[Thread #23 for this sub, first seen 11th Aug 2023, 06:55] [FAQ] [Full list] [Contact] [Source code]

[–] PasswordIsTaco@infosec.pub 9 points 1 year ago

Pihole can do this out of the box by going to the dns settings and adding a host. Alternatively, if your pihole is also your dhcp provider, you can set the hostname on each and pi hole should resolve it.

https://thiagowfx.github.io/2022/01/pihole-add-custom-dns-mappings/

[–] Illecors@lemmy.cafe 7 points 1 year ago

I would suggest avoiding .local as a tld as it's used for discovery. .lan is shorter to type!

[–] pe1uca@lemmy.pe1uca.dev 5 points 1 year ago

I use caddy with PiHole. The Caddyfile is easy to set up with your hostname which will be automatically redirected to HTTPS.
The issue will be the annoying (but useful) alert of a selfsigned certificate if you don't own the domain.
So I have a cheap domain for my local network and configure caddy to do the acme challenge via DNS instead of HTTP.

I can give you more details tomorrow.

[–] Anafroj@sh.itjust.works 4 points 1 year ago* (last edited 1 year ago) (1 children)

I don't use a pihole, but I have a pi with my favorite distro acting as server, and I use dnsmasq for what you mention. It allows to set the machine as the nameserver for all your machines (just use its IP in your router DNS conf, DHCP will automatically point connected machines to it), and then you can just edit /etc/hosts to add new names, and it will be picked up by the nameserver.

Note that dnsmasq itself does not resolve external names (eg when you want to connect on google.com), so it needs to be configured to relay those requests to an other nameserver. The easy way is to point it to your ISP nameservers or to public nameservers like those from Cloudflare and Google (I would really recommend against letting them know all domains you're interested in), or you can go the slightly more difficult way as I did, and install an other nameserver (like bind9) that runs locally. Gladly, dnsmasq allowed to configure its relay nameserver to be on something else than port 53, which is quite rare in dns world. Of course, if you're familiar with bind9, you could just declare new zones in it. I just find it (slightly 😂) more pleasant to work with /etc/hosts.

[–] keyez@lemmy.world 2 points 1 year ago (1 children)

A pihole runs dnsmasq also so adding hosts entries and restarting the service accomplishes the same thing as adding entries via the webUI

[–] Anafroj@sh.itjust.works 1 points 1 year ago

Oh, ok. Thanks for letting me know. 👍️

[–] wgs@lemmy.sdf.org 4 points 1 year ago (1 children)

I have setup my own DNS locally with unbound(1). It blackholes domains, but I also use it as a caching + forwarder to my external DNS over TLS (for improved privacy regarding my ISP). I don't do it, but unbound let's you add local data manually to provide direct answers without forwarding it:

local-zone: "local." static
    local-data: "plex.local. 10800 IN A 10.0.0.3"
    local-data: "paperless.local. 10800 IN A 10.0.0.4"
    local-data: "pihole.local. 10800 IN A 10.0.0.53"
    [...]

Then you can either configure it to include a generated list of domains to explicitly NXDOMAIN, or just forward everything to the pihole:

forward-zone:
    name: "*"
    forward-addr: 10.0.0.53
[–] tburkhol@lemmy.world 1 points 1 year ago* (last edited 1 year ago) (1 children)

I don't know about unbound, but bind can be configured to talk with dhcpd and allow clients to set their own hostnames

In bind.conf allow-update { key "rndc-key"; };

In dhcpd.conf

ddns-update-style interim;
ddns-updates on;
ddns-domainname "lan.";
ddns-rev-domainname "in-addr.arpa.";
key rndc-key {
        algorithm hmac-md5;
        secret "secret";
};

No messy tables to maintain.

[–] wgs@lemmy.sdf.org 1 points 1 year ago

That's interesting. Unbound doesn't support that afaik. The local data feature was requested by OP so I just provided a solution for it.

[–] valkyre09@lemmy.world 4 points 1 year ago (1 children)

If you use NGINX proxy manager you’ll also be able to use a FQDN with SSL for your local services without them being exposed to the internet. It means your local users won’t see the scary insecure page when they access services.

You can even set your public dns records to have Plex.yourdomain.tld point to the local IP of NGINX - removing the need for local dns entirely. That way if you do need to access a service outside with tailscale; their subnet router feature will just work out of the box.

Porkbun are still offering a free .dev or .app domain if you don’t already have one: https://porkbun.com/event/freeappdevdomain

[–] funkajunk@lemm.ee 3 points 1 year ago (1 children)

Yep, I use cloudflare for DNS and just have 2 records configured there:

  • A record - example.com points to 192.168.1.100
  • CNAME - *.example.com is an alias of example.com

The IP address above being the address of Nginx Proxy Manager, where I configure whatever subdomains I need for my local services.

[–] valkyre09@lemmy.world 3 points 1 year ago

It has never occurred to me to create a wildcard entry for sub domains….

[–] liliumstar@lemmy.dbzer0.com 3 points 1 year ago

It's fairly easy to add local domain names with pihole, so presuming all devices on your network are using it, you shouldn't have a problem.

[–] floridaman@lemmy.blahaj.zone 3 points 1 year ago

As recommended by others, you might want to use a real public domain that you own, and a reverse proxy for split horizon DNS. I personally run Bind9, Unbound, and PiHole as my DNS servers. Bind9 handles split horizon, so if I request my domain internally it gets routed through Bind. Then bind hands it off to PiHole for adblocking, and PiHole makes requests through Unbound set up as a recursive DNS server which doesn't rely on any external DNS. I also use Traefik as a reverse proxy for all of my services. My set up is more complicated than necessary, and if you want just a few local domains, PiHole + a reverse proxy is plenty good for your needs.

[–] Natal@lemmy.world 2 points 1 year ago

Here to ask questions too. Is it necessary to add stuff to etc/hosts for this to work man only? Do I have to do portforwarding on my routeur and to what?

I've been trying to achieve exactly that for a week now and none of my attempts load at all.

Is there a resource or YouTube guide explaining all this so I actually know what I''m doing?