DNS on Home Network Through VPN
Summary: You can set the NS record of a domain you own to your home network. If you let DNS pass through to your internal server, it will resolve the names on your network to their internal addresses. Of course, this is only useful if you are at home.
This is a continuation of setting up DNS on your home network.
The last entry was a simple foray into installing DNS on a small home network. As noted though, the home network wasn’t visible when the tablets or other electronics that were connected to a VPN. Presumably this is because the VPN has its own DHCP (or similar) settings that provide their own DNS.
This is how I resolved (no pun intended) how to see my home network when connected to a VPN.
How DNS Finds Your Domain
First, a little background on how DNS works.
When using DNS in your home network, your computer uses the local DNS server to resolve any host names. If the server doesn’t know the address, it forwards the request to another DNS server to resolve.
Public DNS works the same way. When you search for a name, your DNS server may not know the address, so it relies on other, authoritative, servers.
dig trace for kint.xyz:
jaykint@Dads-MacBook-Pro ~/dev/udptty/ dig +trace kint.xyz <<>> DiG 9.8.3-P1 <<>> +trace kint.xyz ;; global options: +cmd . 5129 IN NS b.root-servers.net. . 5129 IN NS j.root-servers.net. . 5129 IN NS e.root-servers.net. . 5129 IN NS c.root-servers.net. . 5129 IN NS h.root-servers.net. . 5129 IN NS f.root-servers.net. . 5129 IN NS i.root-servers.net. . 5129 IN NS a.root-servers.net. . 5129 IN NS m.root-servers.net. . 5129 IN NS k.root-servers.net. . 5129 IN NS d.root-servers.net. . 5129 IN NS l.root-servers.net. . 5129 IN NS g.root-servers.net. ;; Received 228 bytes from 188.8.131.52#53(184.108.40.206) in 449 ms xyz. 172800 IN NS x.nic.xyz. xyz. 172800 IN NS y.nic.xyz. xyz. 172800 IN NS z.nic.xyz. xyz. 172800 IN NS generationxyz.nic.xyz. ;; Received 282 bytes from 220.127.116.11#53(18.104.22.168) in 416 ms kint.xyz. 3600 IN NS home.icosahedron.org. ;; Received 56 bytes from 22.214.171.124#53(126.96.36.199) in 75 ms ;; Received 26 bytes from 188.8.131.52#53(184.108.40.206) in 37 ms
You can likely divine what is happening here. The .xyz domain is held in the root servers (aptly named
root-servers.net), which in turn refer to the xyz authoritative domain servers (
x.nic.xyz, etc.). These servers know about kint.xyz and deliver the NS record, which is my home server
There is a fairly good introduction to DNS published by the Internet Society if you would like more details.
Home DNS via VPN
A little bit of information goes a long way. So, we know we have to somehow make our DNS server available to the internet. But first things first. We need a domain that works on the public internet.
In the previous article, I used kint.home. Well, .home isn’t (yet) available as a domain suffix (TLD), so I needed to pick another name. My registrar of choice, gandi.net, has .xyz domains for cheap. kint.xyz it is!
To be able to reach the authoritative server for kint.xyz (my home server), DNS must be forwarded through the firewall. This is left as an exercise to the reader (since it will depend on your router). (Hint: UDP port 53 is the port to forward.)
Setting NS to Your Home Network
With your own authoritative server, you simply have to set your domain’s NS record to your home network.
Ah, but to set the NS record, you need an IP address to set it to! (Really, the NS record contains a hostname, but that has to resolve to an IP address at least.) If your ISP is like mine, then you have a dynamic address. Well, dynamic DNS to the rescue, but I’ll leave that for the next article.
My home network is available at home.icosahedron.org. Using Gandi’s tools, it’s simply a matter of setting the DNS server for the domain to our home domain.
I’ll be honest, there are security implications to exposing your DNS server to the public internet. There are security implications in exposing anything to the public internet. However, in my research there was no information about concrete attacks from doing this, so I elected to do it for convenience.
To each their own.
With this set, I can now enter my printer name as printer.kint.xyz on my tablet, and it works! Only if I’m actually at my house of course.
Please give any feedback, corrections or advice to firstname.lastname@example.org