I created a short tutorial on using sub domains to access services hosted within my home network, thought I would share it here in case anyone finds it useful
This is the first time I’ve made a technical tutorial so apologise if there are mistakes/its confusing, feedback will be appreciated
Very cool, great work!
Worth noting about this approach is that the global list of subdomains is publicly searchable. So, you’ll see vulnerability and AI scans on those endpoints.
If that’s a concern for you, using path-based routing (e.g. Apache VirtualHost) allows you to use difficult to guess paths to your cloud.
Can you expand on this? What is it that you call the “global list of subdomains”?
Certificate transparency, unless you use wildcard certs
It’d be better and more accurate say the list of certificates then.
Sub domains aren’t public unless your DNS server has XFER on.
Interesting! I’m going to look into this. Not sure my provider has this in their UI
It trivial to get a list of all registered domains and subdomains and the IP addresses they map to. There are any number of paid services to make it easy (e.g. https://subdomainfinder.c99.nl/) but I’m pretty sure there’s also a way to do it yourself.
This is kind of why I have wild card on my main domain… Nothing on www.
Except it isn’t. Saying it is trivial is just gross generalization. It’s trivial to configure bind to have internal zones that aren’t resolvable publically. It all depends on configuration, such as reverse ns entries, zone accessibility, etc.
You can have (sub)domains that are listed in the certificate lists and yet aren’t resolvable externally as well.
Actually, wait. Something you a said might actually be just what I’m looking for: you mean that I can have DNS entry for mydomain.com and no additional CNAMEs, and have a cert for nextcloud.mydomain.com (or wildcard maybe?) and somehow still be able to use name based virtual servers?
Hmmm. I thought I was going to be limited to path-based.
Explain more?
Absolutely. Simply use ACME with the DNS validation method. Using bind you’ll want to create keys and allow TXT access for those keys to the validation domains. Fear not, this isn’t exclusive to bind, ACME tools supports dozens of other backends. That’s all you need the actual domain doesn’t need to be resolvable with an A/CNAME record. Internally you can run an entirely different DNS server to resolve your hosts, use hosts files, or use bind zones.
Okay. Yup, that’s probably true. I’m not that deep into network stuff. But, if you’re just doing the basic, ‘ha.mydomain.com => 121.41.38.9’ that works out of the box with name based virtual hosts and reverse proxy, then yeah, you’ll get traffic on that within 24 hours.
I reckon if a person understands what you’re talking about though, they’re already doing better than most.