• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Pfsense box linked to domain name : use of that domain name for local machines ?

Scheduled Pinned Locked Moved DHCP and DNS
7 Posts 4 Posters 5.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    phil123456
    last edited by May 25, 2016, 1:51 PM

    hello,

    behind a pfsense box, I installed a couple of machines to do php stuffs and other machines to do mysql replication/load balancing
    and during install , when debian asked for a domain name, well I though, I'll put the same domain name as the WAN of pfsense

    then I noticed that, php pages were using the domain name but it is of course the same name as my WAN ip
    so I ended up having connections from my WAN ip to my local mysql servers wich is weird since I neverd created any 3306 rules to pass through

    also , as I set in the hosts files of all machines (except pfsense) ip like

    ip1 host1.domain host
    ip2 host2.domain host
    ip3 host3.domain host
    …

    it seems that php too was replacing web client ip's by their full domain name, leading to acces denied errors

    so in the end, although all these machines are behind my firewall, I think it was not a good idea to set the same domain name

    any advice ?

    thanks

    1 Reply Last reply Reply Quote 0
    • P
      phil123456
      last edited by May 30, 2016, 6:04 AM

      anyone ?

      1 Reply Last reply Reply Quote 0
      • J
        johnpoz LAYER 8 Global Moderator
        last edited by May 30, 2016, 1:12 PM

        Are you asking if bad idea to use same domain you use publicly as you do locally?  If so then yeah I think that is bad idea to be sure.  Can you work around it, yeah.  But what domain you use on a local network really has nothing to do with what domain you might use on public domain.  Using the same name just leads to confusion.

        Be it the name is registered or valid tld doesn't really matter either.  But if you were using say domain.net locally and domain.com publicly, and there was nothing setup for domain.net you would be ok.  But if someone registered that and starting putting records out there that could cause you issues depending on how you resolve stuff.

        so I would advice if you like the name domain, register all the tld's in that domain that you might use be it public or local.  Or just use a non public tld locally, I use .lan for example.  So don't really care if someone has local.com public.  It makes no matter to me since that is not my domain, etc.

        There are specific tlds I would say away from locally like .local has been ruined by apple.  I wouldn't use something that might be public soon.  Now that you can get your own public tld with $$ who knows what will be next.  I would think .lan would be bad choice so don't think that will be an issue too soon.

        But yes using the same domain public and local can be problematic if you don't have a full handle what is being resolved from where and sure that your split dns is working correctly, etc.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • P
          phil123456
          last edited by Jun 2, 2016, 1:54 PM

          well ok so what do people usualy do ? just no domain on their local machine ?

          it's quiet silly since they are part of that domain, unless "domain" is only WAN related

          I'll have to change all my machines now ha ha

          thanks anyway,

          it's clearer for me now :-)

          1 Reply Last reply Reply Quote 0
          • K
            kpa
            last edited by Jun 2, 2016, 2:10 PM

            I would just use "mylan" as the domain name on LAN hosts if the LAN is behind NAT and uses RFC1918 addresses, whatever you put there is not visible to the outside world (with few exceptions like sending email). Domain name is not exactly related to any network interface or network, DNS is an external service that answers only FQDN -> IP address queries (yes there are other type of records than A or AAAA but they are still variations of the same basic scheme). Setting a domain name on a single host doesn't do much, it only tells the local resolver that it should tag on the configured domain name on names without any dots for queries sent to the DNS resolver, i.e. www -> www.mydomain.tld, that's all that the domain does.

            1 Reply Last reply Reply Quote 0
            • J
              johnpoz LAYER 8 Global Moderator
              last edited by Jun 2, 2016, 2:30 PM

              As kpa discussed it comes down to how you want to resolve your machines.. Yes its good habit/practice to use fqdn be it just local or not.  DNS does not really support a hostname or netbios name.  Sure you can broadcast for hostname, but if you want to use dns then it should be fully qualified.

              I am not a fan of singlelabel domains, ie host.domain, to me this looks like a domain.tld - a fully qualified name is going to be host.domain.tld - for your local networks pick a tld (top level domain) that is not used public.  I like .lan but you could use .mylocaltld or .whatever as your tld, but put something in front of it so that if you want to use different ones that are all common to your tld youc can so domain.whatever and otherdomain.whatever, etc.  To distinguish your naming convention for different things if you want locally.

              Or use a sub, so for example I use subs on my different segments.. so for example you can have host.dmz.local.lan or host.wlan.local.lan - they are all on my local.lan but are in different segments that I distinguish with the sub..

              So for example, if I do a ptr on an IP, the name that comes back tells me what network segment its in.

              user@ubuntu:~$ dig -x 192.168.3.253

              ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> -x 192.168.3.253
              ;; global options: +cmd
              ;; Got answer:
              ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44771
              ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

              ;; OPT PSEUDOSECTION:
              ; EDNS: version: 0, flags:; udp: 4096
              ;; QUESTION SECTION:
              ;253.3.168.192.in-addr.arpa.    IN      PTR

              ;; ANSWER SECTION:
              253.3.168.192.in-addr.arpa. 3600 IN    PTR    pfsense.dmz.local.lan.

              ;; Query time: 3 msec
              ;; SERVER: 192.168.9.253#53(192.168.9.253)
              ;; WHEN: Thu Jun 02 09:23:33 CDT 2016
              ;; MSG SIZE  rcvd: 90

              user@ubuntu:~$

              So for example that tells me that 192.168.3.253 is pfsense interface in the dmz network.

              Setting up proper name resolution is always sign of a good organized network if you ask me. All your machines should have a fqdn that tells what network its in, and you should be able to do a ptr on that IP and get the FQDN back, etc..

              But what you use for a domain locally just comes down to a naming label of your own design is all.  Machine in general will attach their domain to a dns query that you forget the domain on, and sure you can setup a search list of suffixes that will be queried and attached to what you query for if you do not specifically end the query with the root . on the end of it.  The behavior will depend on what is exactly is doing the query and what OS its on, etc.  so for example a query with nslookup on windows doesn't work the same as say you browser might ask for something, or how dig would ask for something.  When you do a query you can always be specific and use the fqdn. where you even put in the . root at the end so no other suffixes are added to that query.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              1 Reply Last reply Reply Quote 0
              • S
                stan-qaz
                last edited by Jun 2, 2016, 11:08 PM

                I got started using .home for my RFC 1918 LAN many years ago when this RFC was still active:

                https://tools.ietf.org/html/draft-chapin-rfc2606bis-00

                Network Working Group          - L. Chapin
                Internet-Draft                                          - Interisle Consulting Group
                Intended status: Standards Track      - M. McFadden
                Expires: December 2, 2011                  - ICC
                May 31, 2011

                Reserved Top Level Domain Names
                draft-chapin-rfc2606bis-00.txt

                That suggested this list:

                .local
                .localdomain
                .domain
                .lan
                .home
                .host
                .corp

                As mentioned above .local has issues with Apple gear today.

                My pfSense box and anything I put into my DMZ gets a DDNS name, set by a program on that system from Afraid as they are a minimal aggravation compared by some others.

                https://freedns.afraid.org/menu/

                1 Reply Last reply Reply Quote 0
                6 out of 7
                • First post
                  6/7
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received