By “query”, I mean a FQDN: the idea would be to resolve a public record with an internal IP (domains I own) to make Let’s Encrypt workable from inside the LAN.
My current config uses the hints from /etc/config/dhcp, and this custom snippet:
local ffi = require('ffi')
local function genRR (state, req)
local answer = req.answer
local qry = req:current()
if qry.stype ~= kres.type.A then
return state
end
ffi.C.kr_pkt_make_auth_header(answer)
answer:rcode(kres.rcode.NOERROR)
answer:begin(kres.section.ANSWER)
answer:put(qry.sname, 900, answer:qclass(), kres.type.A, '\192\168\10\67')
return kres.DONE
end
policy.add(policy.suffix(genRR, { todname('palver.lan.') }))
policy.add(policy.suffix(policy.STUB('10.64.0.2'), {todname('home.')}))
policy.add(policy.suffix(policy.STUB('10.64.0.2'), {todname('20.168.192.in-addr.arpa.')}))
policy.add(policy.suffix(policy.PASS, { todname('20.168.192.in-addr.arpa') }))
policy.add(policy.all(
policy.TLS_FORWARD({
{'1.1.1.1', hostname='cloudflare-dns.com', ca_file='/etc/ssl/certs/DigiCertECCSecureServerCA.pem'},
{'1.0.0.1', hostname='cloudflare-dns.com', ca_file='/etc/ssl/certs/DigiCertECCSecureServerCA.pem'}
})
))
Setting hints['foo.blabla.com'] = 'my.internal.ip' in the custom configuration doesn’t seem to work (nslookup returns the external IP). Any hint (no pun intended)?