I’m finally starting to install local web apps that my wife/kids would be interested in, and I know it has to be super easy or they’re never going to go near it. Most everything is running on my Synology on different ports, with absolutely nothing exposed to the outside world, and I’d like to run local DNS and proxy so everything is available LAN-only with an easy hostname - plex.local, paperless.local, etc. (If we want remote access I’ll just run Tailscale.) I’m already running PiHole, and I’m assuming if I poke around I can add local names in there, but has anybody else that’s done this have any suggestions for setting things up?

  • stown@sedd.it
    link
    fedilink
    English
    arrow-up
    11
    ·
    1 year ago

    I recommend using a real domain name so you can pull SSL certificates that don’t require the visitor to accept a self-signed certificate.

    • rentar42@kbin.social
      link
      fedilink
      arrow-up
      2
      ·
      edit-2
      1 year ago

      Seconded! I own a domain for our emails (no public Web presence) and use a subdomain (that’s not publicly hosted, the names only exist in my pihole) which allows me to use foo.l.mydomain.com for each service. Since the names don’t resolve publicly you’ll have to use dns verification for let’s encrypt, but that’s not too hard to do.

  • Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    arrow-up
    11
    ·
    edit-2
    1 year ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    DNS Domain Name Service/System
    HTTP Hypertext Transfer Protocol, the Web
    HTTPS HTTP over SSL
    IP Internet Protocol
    PiHole Network-wide ad-blocker (DNS sinkhole)
    Plex Brand of media server package
    SSL Secure Sockets Layer, for transparent encryption
    TLS Transport Layer Security, supersedes SSL

    8 acronyms in this thread; the most compressed thread commented on today has 14 acronyms.

    [Thread #23 for this sub, first seen 11th Aug 2023, 06:55] [FAQ] [Full list] [Contact] [Source code]

  • Illecors@lemmy.cafe
    link
    fedilink
    English
    arrow-up
    7
    ·
    1 year ago

    I would suggest avoiding .local as a tld as it’s used for discovery. .lan is shorter to type!

  • Anafroj@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    4
    ·
    edit-2
    1 year ago

    I don’t use a pihole, but I have a pi with my favorite distro acting as server, and I use dnsmasq for what you mention. It allows to set the machine as the nameserver for all your machines (just use its IP in your router DNS conf, DHCP will automatically point connected machines to it), and then you can just edit /etc/hosts to add new names, and it will be picked up by the nameserver.

    Note that dnsmasq itself does not resolve external names (eg when you want to connect on google.com), so it needs to be configured to relay those requests to an other nameserver. The easy way is to point it to your ISP nameservers or to public nameservers like those from Cloudflare and Google (I would really recommend against letting them know all domains you’re interested in), or you can go the slightly more difficult way as I did, and install an other nameserver (like bind9) that runs locally. Gladly, dnsmasq allowed to configure its relay nameserver to be on something else than port 53, which is quite rare in dns world. Of course, if you’re familiar with bind9, you could just declare new zones in it. I just find it (slightly 😂) more pleasant to work with /etc/hosts.

    • keyez@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      A pihole runs dnsmasq also so adding hosts entries and restarting the service accomplishes the same thing as adding entries via the webUI

  • valkyre09@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    If you use NGINX proxy manager you’ll also be able to use a FQDN with SSL for your local services without them being exposed to the internet. It means your local users won’t see the scary insecure page when they access services.

    You can even set your public dns records to have Plex.yourdomain.tld point to the local IP of NGINX - removing the need for local dns entirely. That way if you do need to access a service outside with tailscale; their subnet router feature will just work out of the box.

    Porkbun are still offering a free .dev or .app domain if you don’t already have one: https://porkbun.com/event/freeappdevdomain

    • funkajunk@lemm.ee
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      Yep, I use cloudflare for DNS and just have 2 records configured there:

      • A record - example.com points to 192.168.1.100
      • CNAME - *.example.com is an alias of example.com

      The IP address above being the address of Nginx Proxy Manager, where I configure whatever subdomains I need for my local services.

  • z3bra@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    I have setup my own DNS locally with unbound(1). It blackholes domains, but I also use it as a caching + forwarder to my external DNS over TLS (for improved privacy regarding my ISP). I don’t do it, but unbound let’s you add local data manually to provide direct answers without forwarding it:

    local-zone: "local." static
        local-data: "plex.local. 10800 IN A 10.0.0.3"
        local-data: "paperless.local. 10800 IN A 10.0.0.4"
        local-data: "pihole.local. 10800 IN A 10.0.0.53"
        [...]
    

    Then you can either configure it to include a generated list of domains to explicitly NXDOMAIN, or just forward everything to the pihole:

    forward-zone:
        name: "*"
        forward-addr: 10.0.0.53
    
    • tburkhol@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      1 year ago

      I don’t know about unbound, but bind can be configured to talk with dhcpd and allow clients to set their own hostnames

      In bind.conf allow-update { key "rndc-key"; };

      In dhcpd.conf

      ddns-update-style interim;
      ddns-updates on;
      ddns-domainname "lan.";
      ddns-rev-domainname "in-addr.arpa.";
      key rndc-key {
              algorithm hmac-md5;
              secret "secret";
      };
      

      No messy tables to maintain.

      • z3bra@lemmy.sdf.org
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        That’s interesting. Unbound doesn’t support that afaik. The local data feature was requested by OP so I just provided a solution for it.

  • floridaman
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    As recommended by others, you might want to use a real public domain that you own, and a reverse proxy for split horizon DNS. I personally run Bind9, Unbound, and PiHole as my DNS servers. Bind9 handles split horizon, so if I request my domain internally it gets routed through Bind. Then bind hands it off to PiHole for adblocking, and PiHole makes requests through Unbound set up as a recursive DNS server which doesn’t rely on any external DNS. I also use Traefik as a reverse proxy for all of my services. My set up is more complicated than necessary, and if you want just a few local domains, PiHole + a reverse proxy is plenty good for your needs.

  • liliumstar@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    It’s fairly easy to add local domain names with pihole, so presuming all devices on your network are using it, you shouldn’t have a problem.

  • pe1uca@lemmy.pe1uca.dev
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    I use caddy with PiHole. The Caddyfile is easy to set up with your hostname which will be automatically redirected to HTTPS.
    The issue will be the annoying (but useful) alert of a selfsigned certificate if you don’t own the domain.
    So I have a cheap domain for my local network and configure caddy to do the acme challenge via DNS instead of HTTP.

    I can give you more details tomorrow.

  • Natal@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Here to ask questions too. Is it necessary to add stuff to etc/hosts for this to work man only? Do I have to do portforwarding on my routeur and to what?

    I’ve been trying to achieve exactly that for a week now and none of my attempts load at all.

    Is there a resource or YouTube guide explaining all this so I actually know what I’'m doing?