Self-Hosted Main

504 readers

1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

For Example

Service: Dropbox - Alternative: Nextcloud
Service: Google Reader - Alternative: Tiny Tiny RSS
Service: Blogger - Alternative: WordPress

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

Awesome-Selfhosted List of Software
Awesome-Sysadmin List of Software

founded 1 year ago

MODERATORS

communick@selfhosted.forum

what happens to lan traffic when you leave the local network - home (alien.top)

submitted 1 year ago by Lazy-Fig-5417@alien.top to c/main@selfhosted.forum

7 comments fedilink hide all child comments

I have FQDN.

# 1

I did configure unbound on opnsense router to override all hosts of mydomain.com to local IP of my server.

Local server is ruuning SWAG who creates ssl with lets encrypt using dns validation. I did not forward / open any ports on router so those services are NOT accessible from internet.

I can access all my services localy over some_subdomain.mydomain.com

# 2

I did configure DNS records at my registrant to point to my webhosting (normal external company) and create simple html page. So when I am browsing mydomain.com and I am not at home I get that simple page.

question:

I leave home so I am not at home network and not using VPN then my laptop or phone are trying to resolve mydomain.com because some application wants to connect to service. They get IP of webhosting and trying to communicate with it.

Should I be worried about sensitive data being leaked? At least, webhosing can log requestes where it can see my subdomains and url path ...

what is your setup? what is your opinion? is there any better solution beside VPN { I dont want to open VPN always when leaving home }

thanks

top 7 comments

sorted by: hot top controversial new old

[–] thekrautboy@alien.top 2 points 1 year ago

I use a subdomain for all my local services.

example.com then local.example.com and for the services service.local.example.com

This way i can still use Lets Encrypt but i also have a clear separation between actual services that are public facing and things i keep local only.

Fitting this to your setup when *.local.example.com points as CNAME to your local reverse proxy, then you can access it fine when at home. When youre away and your laptop tries to access it again, it still retrieves a local IP from the DNS, which of course fails, and because of that your webhoster at example.com doesnt receive any attempts at subdomains etc, you completely bypass it.

[–] joecool42069@alien.top 1 points 1 year ago (1 children)

what happens to lan traffic when you leave the local network - home

it become wan traffic.

[–] Lazy-Fig-5417@alien.top 1 points 1 year ago

yes, that's clear, I am trying to avoid that.

before I did start to use my own domain I did used duckdns.org as many people. well, maybe they did open / forward ports to local server but if not then same problem occur.

[–] flaming_m0e@alien.top 1 points 1 year ago

Should I be worried about sensitive data being leaked?

If you're not exposing any services over the internet...no?

Can you elaborate on this a bit more because I'm trying to figure out where you would arrive at that conclusion that it would be possible. Perhaps there's something in your setup that you haven't explained fully.

[–] VeronikaKerman@alien.top 1 points 1 year ago

The processes that run on your laptop trying to connect your LAN services, would, outside of Lan, resolve the public DNS record and try to connect to the web hosting server. If the port is 80/443, they would indeed establish connection with the public web server, which could log those requests. This is when certificates and encryption comes into play. If your client programs are using TLS and are not buggy, and you have not uploaded your private certificate key to the public web server, they would just error out, and noting will be leaked. Split horizon DNS (what you are doing) is similar to DNS spoofing attack, TLS/SSL/HTTPS defeats such attacks. You secured your server (by not opening ports), but clients need to be secured too.

[–] kzshantonu@alien.top 1 points 1 year ago (1 children)

I set public DNS of my internal service hostnames to 0.0.0.0. That way if my internal DNS fails, it cannot resolve to a random IP

[–] Lazy-Fig-5417@alien.top 1 points 1 year ago

thanks for good tip