Cloudflare Nameservers with Internal IP Not Working

As I understand it, you can set an A record with a public domain name to point to an internal IP. It’s not the ideal setup but it’s nice for easy SSL on internal resources.

I’m doing this with cloudflare with an A record from mydomain dot com to my internal IP and a CNAME record pointing from * to mydomain dot com (had to get around new user link restrictions).

Visiting my.local.ip.addr in the browser returns the expected resource. Visiting mydomain.com or any subdomain results in the browser saying immediately it can’t connect to the server (Chromium gives DNS_PROBE_FINISHED_NXDOMAIN).

Is this an issue with my Cloudflare configuration or with my reverse proxy? I’m using https://github.com/linuxserver/docker-swag which I gave my Cloudflare global API key and seems to be working, it generated certs fine.

You can certainly add an “A” record with an internal address, but there’s no way Cloudflare can proxy it, as it’s internal. Unless you get Magic Transit for a whole lot of money.

I’m not proxying it. Both records are DNS only :grey:. I just want the SSL DNS challenge. See https://docs.linuxserver.io/general/swag#create-container-via-dns-validation-with-a-wildcard-cert.

The diagnostic test gave nothing useful since it’s a local IP as well.

Understood.

Back to DNS_PROBE_FINISHED_NXDOMAIN. That makes it seem like no DNS records are working. You didn’t post the domain so I can’t check it, but I usually use dnschecker.org to see if Cloudflare is you NS and SOA provider. Then make sure you have all the necessary DNS records in your account here.

It works perfectly on DNS Checker. The root and all subdomains resolve to my local IP everywhere.

The error on my phone (on my network) is NSURLErrorDomain which I’m guessing is the same error. When I go directly to the local IP, I get the self signed certificate warning. Is it something with the cert setup?

Turns out I had misconfigured DNS on my LAN (specifically, using the Unbound DNS service on my OPNSense router). It works now.

1 Like