Noob question about name resolution

Hi community!
I’m kind of beginner, and would need your advise to properly configure the name resolution on my network.

1/ background:

INTERNET → Box --red–> IPFIRE --green–> LAN (self-hosted domain // PC, etc)

I host a server on my lan (proxmox) with different sub-domains for each app.
e.g: plex.mydomain.net // adguard.mydomain.net, etc.

Reverse proxy is done by Nginx Proxy Manager, hosted on Proxmox as well.

2/ name resolution

I believed that this setup would locally resolve my domains (I have NOT edited any /etc/hosts).
But what I see on my logs and by using Cloudflare is that finally my request from GREEN to GREEN to access one of my sub-domain is resolved by Cloudflare DNS instead of being resolved locally.

I find it absurde, and I’m sure there is a simple solution for that.

Do you know what is this solution?
Maybe altering the /etc/hosts of IPFIRE or ADGUARD or NPM??

thanks

@capitainabloc

Have a look at this : Hosts

how is your DHCP setup? (send a screenshot please).

here is mine for reference

Screen Shot 2022-04-08 at 6.25.16 PM1958×614 84.6 KB

Hi Jon,
here is:

image1349×486 29.5 KB

I’ve put my domain name in domain suffix.

When having a look on my various sub-servers access logs, if I use the domain name to access from lan (instead of local IP), the IP shown accessing the service is the Cloudflare IP for those proxied by Cloudflare or my external IP for those not under Cloudflare.

many thanks

Do you have all your internal hosts defined in the IPFire Hosts page? WUI menu Networking - Edit Hosts.

IPFire first checks host names, fully qualified or not, in the file created from the WUI Host page.

Without them specified there then IPFire does not know about that host by the host name or FQDN and will then try to find it externally.

Oh OK, then I will.
just another question:

hostname: “adguard” or “adguard.mymydomain.net”?

and

domain name: “mymydomain.net” or “adguard.mymydomain.net”?

On the Hosts page you would put

but without the quotes.

and for the hostname

again without the quotes.

That way uou will be able to refer to the pc by either the hostname alone (IPFire will take the domain name as what you have defined) or you can use the FQDN to refer to your server. Both will work.

thanks for your replies!
I’ll do some tests and monitor logs

I think we are missing the point here. Judging by the DHCP config all LAN devices get primary DNS .206 (adguard) and secondary dns .150 (pihole). Even if you put your LAN device names in your ipfire host section they wouldn‘t get queried. This would only work if your ipfire box is primary dns and uses adblock and pihole as its dns source. So DNS queries would go: LAN-> ipfire → adblock → pihole → upstream DNS. Though I would consider that overly complicated honestly.

Hi Hagen,
Well caught. I completely missed that. I didn’t look closely enough at the dhcp details.

So if adguard is the primary dns then it needs to hold the host info, correct?

Hi all,
thanks for your commited answers!
I dug a bit and made some tests.

Indeed, wrongful config was coming from Adguard.

So I corrected it by editing the /etc/hosts of my adguard in tthe following way:

all mysubdomains pointing to the IP of my reverse DNS (Nginx Proxy Manager):

# nano /etc/hosts

192.168.1.240   domain.net
192.168.1.240   adguard.domain.net
192.168.1.240   admin.domain.net
192.168.1.240   jeedom.domain.net
192.168.1.240   nextcloud.domain.net
...

still under test, but seems working so far

Great you got it working. However I‘ve a few ideas about your config. The host file you listed has the domain and aliases all other hosts to that. I hope that ‚domain.net‘ is a dummy name for your actual domain. Then you are listing the domain.net as a separate host. I‘m not sure whether that really is your intention!? And last, you have to copy that file to your pihole host file too as you have the pihole listed as secondary dns server. In case your adguard machine goes down, the pihole should serve the same entries then. But then again I‘m still not sure how the pihole is even working in your config. Does it really get dns queries?

yes domain.net is not my real domain name.
if fact this is my setup:

I host various app sites all listed under subdomains of my “domain.net”
Most of them hosted in a Proxmox.

I have removed Pihole, and I finally have one adguard in Proxmox and one other adguard in a RPI or equivalent

on both /etc/hosts of the Adguards, I have

`# nano /etc/hosts`

192.168.1.240   domain.net
192.168.1.240   adguard.domain.net
192.168.1.240   admin.domain.net
192.168.1.240   jeedom.domain.net
192.168.1.240   nextcloud.domain.net

All the requests to port 80 and 443 are redirected by IPFire to my Nginx Proxy Manager (hosted on Proxmox) which has IP 192.168.1.240.

On all subdomains listed on NPM, I set a restricted access list allowing only IP ranges in my LAN and VPN.
Also added a Basic_Auth, all being monitored by Fail2ban.

On top of that all request from outside my LAN are proxied by Cloudflare.

Result, anyone would get a 403 page trying to access my domains (they’re all for a private purpose), unless you are connecting using OpenVPN or Wireguard, that I both host.

If you manage to connect through VPN, basic_auth is waiting for you, and for apps not having a basic_auth (such as Nextcloud), login fails will ban you.

I see DNS queries on Adguard as “Rewritten - 192.168.1.240”

Purpose of all this:

• having fun to geek and understand how is working that
• having a Nextcloud accessible from everywhere, in secured condition
• having VPNs available to avoid any restriction when travelling abroad (for exemple VOIP in countries banning it as UAE, Qatar, etc) as I go often.
• monitoring Jeedom, Portainer, Gameserver, etc…
• and finally, obviously, to keep all the above safe, and accessible only by me.

many thanks again for your commited answer and interest, that helped me to evolve a bit.