0

I have an internally hosted DNS resolver via Core DNS running on my network. Everything is great aside from one thing, which is I cannot load my apex domain when connected over VPN. The reasoning is because the zonefile maps my domain name to the internal IP of NGINX which has a ton of subdomain entries for my domain.

  • thing1.example.com <- works
  • thing2.example.com <- works
  • example.com <- does not work.

Specifically, I want to load this website from outside my network.

I thought I would have a CNAME entry in the Zone file that routes traffic, even on VPN to my site hosted externally by Cloudflare, but apparently I am now going beyond my knowledge. How can I achieve this and what is this type of thing called?

Here is my zone file

$ORIGIN example.com.
@   3600 IN SOA sns.dns.icann.org. noc.dns.icann.org. (
                2017042746 ; serial
                7200       ; refresh (2 hours)
                3600       ; retry (1 hour)
                1209600    ; expire (2 weeks)
                3600       ; minimum (1 hour)
                )
* 3600 in A 172.16.0.2 # this is private static IP I assigned to NGINX on internal network 
example.com. 3600 IN CNAME proxy.example.com.

The A record is good. I just added this CNAME but it does a loop back into NGINX and loads the wrong site.

proxy.example.com is a CNAME record in Cloudflare DNS that points to example.com. Doesn't work when connecting over VPN though. Maybe someone with some solid networking knowledge can explain this one to me.

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
Ryan
  • 1
  • 2
  • Does this answer your question? [Why can't a CNAME record be used at the apex (aka root) of a domain?](https://serverfault.com/questions/613829/why-cant-a-cname-record-be-used-at-the-apex-aka-root-of-a-domain) – Esa Jokinen Jan 06 '23 at 07:16
  • @EsaJokinen no as I'm still unsure how to resolve my situation which is to have external DNS resolution to a domain from internal DNS. – Ryan Jan 06 '23 at 07:18

1 Answers1

0

Problems with your current attempt:

What could work:

  1. Add an internal copy of the proxy.example.com. A. It must be configured exactly as the corresponding record on global DNS hierarchy, and should be updated separately whenever the external copy is updated.
  2. Add example.com. IN A 172.16.0.2 pointing at your Nginx.
  3. Configure the Nginx to perform a HTTP redirect from http(s)://example.com/ to http(s)://proxy.example.com/.

Best practices:

  • Do not use the same zone externally and internally.
  • You could delegate a subdomain of your external domain for internal use.
    • E.g., thing1.internal.example.com
Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
  • I'm still confused here. proxy.example.com is a site hosted by cloudflare. There isn't a single IP for this domain and it doesn't allow direct IP access. Am I missing something? – Ryan Jan 06 '23 at 07:52
  • Additionally, I'm unsure how a 301 on nginx would work as DNS resolution would again, resolve to the internal IP. – Ryan Jan 06 '23 at 07:53
  • 1
    Without the actual domain there are too many details unknown to us. – Esa Jokinen Jan 06 '23 at 08:20
  • 1
    But in general: do not use split DNS. It creates more problems than it can solve. – Esa Jokinen Jan 06 '23 at 08:22