[GTALUG] server question
John Sellens
jsellens at syonex.com
Wed Jan 22 00:14:17 EST 2020
You want a server name (FQDN) that works internally, but not externally.
Just stick it in DNS.
Generally you likely have DNS configured somewhere for some domain.
You can add an A record with machine1's internal address e.g.
intservice.mydomain.com IN A 192.168.10.101
Even if you stick that in public DNS, there's no access through your
firewall from outside to inside, so often not a big deal. (It would
potentially leak information about your name intserver.mydomain.com.)
You likely have a firewall/router at the edge of your internal network.
Many firewalls provide DNS service e.g. pfsense provides a DNS resolver
and you can add entries there that are only visible internally, even if
most of your DNS is external. See also the dnsmasq server.
You may have internal DNS servers running internally - you can add
records there.
Don't want to use your public domain name? Buy another domain, and use
it only internally - set up DNS the same way. You can even just make
up a domain, but that means that you run the risk of not being able
to get to legit external servers, if someone else uses that domain.
And it means you won't be able to get real SSL certificates.
Or use a subdomain of your domain (e.g. internal.mydomain.com).
Last few places I've been, we've purchased a separate domain just for
internal use. We exposed a little bit of it in public DNS (e.g. a
wildcard for *.myinternal.com) so that we can get letsencrypt SSL
certificates for use on internal only machines.
Note that some firewalls try to protect against DNS rebinding attacks,
and won't give you an internal address from a public DNS server. You
can usually whitelist specific domains. e.g. I have intwww.syonex.com
as an A record in public DNS to 192.168.1.2 and I tell my pfsense
firewall to trust syonex.com's DNS and give me that address internally.
Remember - DNS is your friend. Tools like dnsmasq let you do weird
but useful things with DNS.
Hope that helps!
John
On Tue, 2020/01/21 10:03:53PM -0600, o1bigtenor via talk <talk at gtalug.org> wrote:
| I wasn't thinking of IP addresses - - - rather I was thinking of something
| like example.com but not that. Trying to come up with something so
| that if machine 1 has the server program that machine 2 can access
| machine1 just by using machine1 in the browser.
More information about the talk
mailing list