Hmm. I don't really care enough about leaking home network host names because they are all super generic names like 'router', 'laptop', 'tv', 'nas'. So I use my public zone on cloudflare. I just use internal ip addresses (eg: nas.example.com = 10.1.2.3) on the public zone and DNS01 challenge for let's encrypt. Anyone can resolve the ip for any of my hosts, but obviously you'd need to be on the wireguard vpn to hit them.
This means that I can always use public DNS servers like 1.1.1.1, 8.8.8.8, nextDNS etc
This is not "done right" by any stretch but it's extremely low effort to set up and has never once failed me, unlike countless complex meshy things.
I do the same thing. I'm not worried about them seeing my FQDNs.
I use the form of hostname.int.example.com for everything inside my home network. None of which is accessible to the outside world. I use LetsEncrypt with DNS validation to get the certificates.
If you are going to have all the home stuff on a subdomain (int.example.com) would it work to delegate int.example.com to a DNS server running at home what has internet access, and could handle the ACME DNS challenges for machines on int.example.com?
If it does then you don't have to mess with your public DNS whenever you want to add or renew certificates for home machines.
I'm using the free DNS my registrar provides, which doesn't provide API access unless you upgrade to their paid DNS service and so if I could use a local DNS server for the ACME challenges for the home network I could pick one that is friendly to automation.
> I use the form of hostname.int.example.com […]
Note that int is a valid TLD:
* https://en.wikipedia.org/wiki/.int
* https://datatracker.ietf.org/doc/html/rfc1591
He’s using it as a subdomain.
> He’s using it as a subdomain.
Lots of folks were using "dev" as a sub-domain which was fine until ICANN decide to give Google a TLD:
* https://en.wikipedia.org/wiki/.dev
So if you generally had "search example.com" in you resolv.conf, and were in the habit of having "web01.dev" in places, behaviour may have changed if you were suddenly on a machine that had the "search" line missing (or something else).
What you describe is a user and resolver configuration problem. There are 100's of TLDs and there's always a chance they will conflict with subdomains, either now or in the future as new TLDs are created. I've been using both "int" and "dev" as subdomains since at least 2000 and never had an issue.
> What you describe is a user and resolver configuration problem.
That won't prevent me from getting a ticket saying "the network is down".
Okay, I guess the only solution is to always use FQDNs.
Which can still cause problems depending on your search domain setting and resolver client
I do the same thing and have never had a problem. Maybe I’ve just been lucky for 25+ years. Some hosts have a search path of “int.example.com, example.com”. Others are just “example.com”
Could you give an example? I'm curious, too.
If you generally had "search example.com" in you resolv.conf, and were in the habit of having "web01.dev" in places, behaviour may have changed if you were happen to be on a machine that had the "search" line missing (or something else).
So? I don't see any issue.
I always use FQDNs for everything.
Fair, but what about names that are specific enough to give an attacker a clue to a potential attack surface, like "authelia.example.com" - now they know you've likely got an Authelia setup, and can start digging for exploitable CVEs etc. I'm in the process of removing all my individual certs and replacing with a wildcard cert served by Traefik. Is that a bad idea?
Can they dig for exploitable CVEs if they're not on the Wireguard network? It is a clue to your infrastructure, but I personally think the simplicity is worth it.
My IaC is on public GitHub. They could do a network scan to find software then fingerprint to find version anyway.
Removing attack surface is better than trying to hide it.
How many people out there have attackers doing individualized research to identify services on their home LAN so they can chain a network attack with CVEs in their self-hosted service?
Everyone, now that you can just toss the work at an LLM.
Where are you seeing this? LLMs make it easier to do bulk data analysis / scale attack patterns, but I've not seen anything to suggest they're incentivizing people to do OSINT against random individuals to fire off targeted attacks on home LANs.
The juice isn't really worth the squeeze for the token spend any more than it was worth the human energy.
Do the names resolve to publicly routeable IPs? If not, I wouldn't worry about it.
I don't think this is any less right than using split horizon. IMHO, there is no "right" way to do it. Every approach has downsides and tradeoffs.
This is similar to what I do, except I have my own authoritative DNS servers instead of Cloudflare.
I'd prefer this over split DNS, any day.
At that point why not just use the .ts.net addresses Tailscale provides for free?
Because hostname.tail62bc83.ts.net is a mouthful.
You can change it to something a tiny bit nicer a few times!
Oh! I did not know it was changeable. That’s useful!