Internal domain recommended config

Hi,

I obtained a Let’s Encrypt certificate to my nextcloud machine, even though I just use it internally, because it’s easier and more convenient specially when using android devices to access the nextcloud machine, as some browsers don’t use the user certificates stored on android. So I was able to obtain a Let’s Encrypt certificate using my ddns domain, the problem is that after obtaining the certificate, I disabled port forwarding (don’t want any open ports on my router) to that machine, so now even though I can access the machine using it’s .lan FQDN (invalid certificate), I can’t access it using the ddns domain for which I got the valid certificate. To solve this problem I added a line to the the hosts file with the internal ip of the machine, the internal .lan domain, the external ddns domain and the hostname of the machine. Another way I got it working was to just change the internal .lan domain to the ddns domain (I don’t think this is recommended… but I was just testing), for example if my ddns domain was test.ddns.com, I changed my .lan domain to .ddns.com and changed my nextcoud hostname to test, so that accessing the machine internally corresponded to test.ddns.com. I also found out that there’s an option in dnsmasq that can be used to achieve the same thing, I think it’s something like this: server=/ddns.domain/nextcloud-ip. So, what’s the recommended way to do this? Should I just keep using unsigned certificates and keep dealing with browsers that don’t deal with them very well, should I register for a TLD and use it as my domain? I think I saw somewhere, can’t remember where, that unsigned certificates are even better than signed ones, when you are the only person that has access to that machine. Any experts that can recommend the best configuration, with the best performance and security in mind? Sorry for the long post and thank you very much in advance.

I’m using both the hosts-variant and the internal domain without any issues. Don’t forget to add the necessary line to kresd, otherwise this will do nothing.
Just out of curiosity: why did you block external access to your nextcloud-instance?

HI @ssdnvv,
Thank you for your reply! What is the kresd line I should add? I just added the line with the domains and the ip of the machine to hosts file and it just worked. I block external access to nextcloud because I use a VPN to access it. When scanning my external ip, all ports are hidden. I don’t want to give any kind of direct access to my machines, it’s just paranoia, but I always think that some undisclosed/undiscovered vulnerability, or some stupid config on my part, might be used to gain access to that machine and to my network. Thank you.

This I believe, but it’s possible that some defaults have changed or that you have done something like it already.

Thank you very much @vcunat. If I already followed this guide, do I still have to add the static address records to kresd? So using a TLD as my internal domain is a bad idea right? Which is the best option, using a real TLD as internal domain or adding the appropriate options to hosts file and kresd? Thanks.

It should also work. You delegate the subtree to dnsmasq, so that’s all to be done in kresd. Dnsmasq apparently serves also /etc/hosts by default.

Using a domain that you don’t own (e.g. the default lan TLD) always has some risk that someone might some day register it “for real” and create a name clash. For lan that’s very unlikely to happen and we would know in advance, so it’s an acceptable risk for SOHO. A slightly more likely disadvantage is that if you roam with the device to another network, the domains may suddenly point to a different machine, but again, most SOHO users don’t (need to) care…

Ok, understood.
As my wife is using several services (e.g. CalDAV, CardDAV) running on my server on her mobile and WAF of (open)vpn is near zero, thats no option for me :slight_smile:
I’m paying for the TLD I’m using as internal domain - that way you will never have any difficulties.

In general, recommended and most safe config is to use a real domain intead of made-up TLD. The default config lan should be understood as placeholder.

Best industry practice is e.g. here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/migration_planning_guide/sect-red_hat_enterprise_linux-migration_planning_guide-networking#sect-Red_Hat_Enterprise_Linux-Migration_Planning_Guide-Networking-Recommended_naming_practices

At home I use domain like home.spackovi.net where spackovi.net is a proper domain name I own.

Hi,
Thank you very much for your replies @vcunat, @ssdnvv, @pspacek. @ssdnvv what do you mean by “WAF of (open)vpn is near zero”? @vcunat turns out that just following the Enable the .LAN Domain Guide isn’t enough for kresd to recognize the hosts in the hosts file, I had to add the static address records to kresd, in order to get things working. @pspacek so if, for example, you had a nextcloud machine running in your domain, it’s fqdn would be nextcloud.home.spackovi.net? If you had registered the domain just for home usage you could just use the spackovi.net as home domain right? I haven’t registered a domain yet, I’m thinking about it, but right now I just added the appropriate configurations to the hosts file (FQDN and aliases for the internal ip of the nextcloud machine) and to kresd config. I also added the corresponding FQDN and aliases to my apache virtualhosts ServerName and ServerAlias configs. Right now everything is working, even though I’m using my ddns domain as if it was my internal FQDN for my nextcloud machine and it’s corresponding .lan domain (home domain) as an alias. I don’t know if I could have used a better configuration with better performance and security, in order to accomplish what I wanted, but at least it’s working and until now everything seems stable. Thank you for your tips!

The hosts file is an independent thing, and you can put whatever names you like in there. The point of the “LAN-domain” approaches (even if using a different suffix) is to automatically have the names dynamically from DHCP.

If you had registered the domain just for home usage you could just use spackovi.net as home domain right?

Yes, that’s entirely possible. I use “spackovi.net” for external-facing stuff so “home.spackovi.net” visually separates internal and external stuff.

WAF: I suppose you’re missing the acronym’s meaning.