Messages

Thank you for the link to DNSSEC in private networks, that really hit the base. Now I understand this much better (I hope :) ) I certainly need to learn more, thatns for showing the path.

You read it, right? Maybe a re-read ;)

Will do :)
Actually, I screened it right to the point where it states I have the choices between forwarder and authoritative, and I realized (falsely, as it seems :) ) that I should setup my own DNS server as authoritative. Again, I am not experienced with DNS, didn't wrap my head around the entire concept of it. Just know how to setup some simple things. But I will dive into it, I promise :)

[replace]

@cookiemonster Thank you for a quick reply.

can not avoid a local dns server as in an authoritative one if you want to do dnssec

If I understand correctly, this mean I have to replace a DNS provider (currently I use Cloudflare) with my own locally hosted authoritative DNS, which should provide DNS resolution for the entire internet. I didn't realise that when I posted the thread. If this is the case, I am not ready for that (consumer level Internet provider for one reason, relatively unreliable hardware for another...)

I've got another idea: If I use OPNSense firewall to simply redirect IP. E.g. any traffic from LAN network to WAN IP address (which is resolved in Cloudflare) would be forwarded to local nginx IP address, which in turn will serve the apps. Would that work in general? Would it still support DNSSEC and DANE from LAN? And if yes, where exactly I should place such a forward? I mean, in which FW group: LAN, WAN or both? Or this would break the correct network functioning?

Hello there,

I have successfully been using overrides in Unbound for locally hosted web services (e.g. website, mail server, etc.) to access them from LAN. The issue is that with such a setup client apps cannot confirm DNSSEC (unbound simply provides a local IP for a service, hence no DNSSEC check is in place). I tried to move overrides to dnscrypt-proxy, hoping that it would perform such check but, alas, it doesn't work either. I have almost none experience with DNS (except configuring it in DNS/hoster provider for about a dozen subdomains). Probably, I should host a DNS server as well (which, I suppose, could provide DNSSEC validation), but I am not sure. Maybe there is a simpler solution.

Could you please put me on the right track to solve this? If the local DNS server is the only answer, could you please link me to a good tutorial to setup Unbound for such a task? What I would like to achieve is to be able using locally hosted web apps with DNSSEC and DANE support both from LAN and from Internet.

Hello there,

Sorry to hijack an old thread, but I cannot figured out how to solve this.

I have successfully been using overrides in Unbound for locally hosted web services to access them from LAN. The issue is that with such a setup client apps cannot confirm DNSSEC (unbound simply provides a local IP for a service, hence no DNSSEC check is in place). I tried to move overrides to dnscrypt-proxy, hoping that it would perform such check but, alas, it doesn't work either. I have almost none experience with DNS (except configuring it in DNS/hoster provider for about a dozen subdomains). Probably, I should host a DNS server as well (which, I suppose, could provide DNSSEC validation), but I am not sure.

Could you please put me on the right track to solve this? What I would like to achieve is to be able using locally hosted web apps with DNSSEC and DANE both from LAN and from Internet.