Clondflare Tunnel Internal Pointing (Unbound + AdGuard Home too!)

[sav2880]

Let's lay out my network here. It's nothing special, using Opnsense on a decent PC with Unbound and Adguard Home handling some DNS needs there. Have those configured nicely enough at this point that I am getting local names properly.

I recently switched over to using Cloudflare Tunnels for exposing internal applications because the Unraid package of nginxproxymanager got incredibly unreliable and didn't want to let me register for Let's Encrypt tunnels, and I'm not good enough at this stuff to diagnose someone eles'e Docker container, much less one in Unraid! Cloudflare Tunnel offered a zero trust solution, so got a new domain to use and off we go.

The only problem? When using it internally, it's hair pinning the traffic out to the internet and then back into my network, can tell it's doing this based on both the access speed and the reporting I get from Opnsense.

Guess my question is, based on this, knowing that the Cloudflare traffic is always going to be on a given domain (we'll call it homenet.app), how can I ensure that traffic flows internally when I am internal?

Notes:

* The Cloudflare Tunnel container is also on Unraid, I know it needs little to no config to work.
* The apps I am using also tend to be docker containers on Unraid so they're not network split, at least not at this point. If I needed to, I could look at giving these their own IP address for the purpose of using internal DNS for certain names if that's my easiest route. Don't think that'll break Cloudflare provided I, of course, alter the internal IP it points to.

Thanks!

[bartjsmit]

https://en.wikipedia.org/wiki/Split-horizon_DNS

[sav2880]

https://en.wikipedia.org/wiki/Split-horizon_DNS

Trust me, know my Split DNS, use it at work every day. I just want to make see how Cloudflare Tunnel would change it.

I'm guessing based on the response, I need to do what I suggested below ... drop the various docker apps on different internal IP's so that I can give a dedicated DNS address internally to, say, files.homenet.app as opposed to several apps pointing to the same IP but on different ports, as then they could live on port 80 or 443 and work as expected.