Join Log in
Score:0
Ryan avatar Server

Setup split DNS to external CNAME when resolving within an internal CoreDNS?

ne flag
Ryan

I have an internally hosted DNS resolver via Core DNS running on my network. Everything is great aside from one thing, which is I cannot load my apex domain when connected over VPN. The reasoning is because the zonefile maps my domain name to the internal IP of NGINX which has a ton of subdomain entries for my domain.

  • thing1.example.com <- works
  • thing2.example.com <- works
  • example.com <- does not work.

Specifically, I want to load this website from outside my network.

I thought I would have a CNAME entry in the Zone file that routes traffic, even on VPN to my site hosted externally by Cloudflare, but apparently I am now going beyond my knowledge. How can I achieve this and what is this type of thing called?

Here is my zone file

$ORIGIN example.com.
@   3600 IN SOA sns.dns.icann.org. noc.dns.icann.org. (
                2017042746 ; serial
                7200       ; refresh (2 hours)
                3600       ; retry (1 hour)
                1209600    ; expire (2 weeks)
                3600       ; minimum (1 hour)
                )
* 3600 in A 172.16.0.2 # this is private static IP I assigned to NGINX on internal network 
example.com. 3600 IN CNAME proxy.example.com.

The A record is good. I just added this CNAME but it does a loop back into NGINX and loads the wrong site.

proxy.example.com is a CNAME record in Cloudflare DNS that points to example.com. Doesn't work when connecting over VPN though. Maybe someone with some solid networking knowledge can explain this one to me.

298
1 + 2
jp flag
Esa Jokinen
Does this answer your question? [Why can't a CNAME record be used at the apex (aka root) of a domain?](https://serverfault.com/questions/613829/why-cant-a-cname-record-be-used-at-the-apex-aka-root-of-a-domain)
0
Reply
Ryan avatar
ne flag
Ryan
@EsaJokinen no as I'm still unsure how to resolve my situation which is to have external DNS resolution to a domain from internal DNS.
0
Reply
Score:0
avatar Server
jp flag
Esa Jokinen

Problems with your current attempt:

What could work:

  1. Add an internal copy of the proxy.example.com. A. It must be configured exactly as the corresponding record on global DNS hierarchy, and should be updated separately whenever the external copy is updated.
  2. Add example.com. IN A 172.16.0.2 pointing at your Nginx.
  3. Configure the Nginx to perform a HTTP redirect from http(s)://example.com/ to http(s)://proxy.example.com/.

Best practices:

  • Do not use the same zone externally and internally.
  • You could delegate a subdomain of your external domain for internal use.
    • E.g., thing1.internal.example.com
+ 4
Ryan avatar
ne flag
Ryan
I'm still confused here. proxy.example.com is a site hosted by cloudflare. There isn't a single IP for this domain and it doesn't allow direct IP access. Am I missing something?
0
Reply
Ryan avatar
ne flag
Ryan
Additionally, I'm unsure how a 301 on nginx would work as DNS resolution would again, resolve to the internal IP.
0
Reply
jp flag
Esa Jokinen
Without the actual domain there are too many details unknown to us.
1
Reply
jp flag
Esa Jokinen
But in general: do not use split DNS. It creates more problems than it can solve.
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.