DNS: Delegated Subdomain DNS on private home network

I have a domain at cloudflare, DNS records for the top level domain appear to work normally and i can add/remove/edit records from the cloudflare dashboard without issue.

I want to setup a sub-domain for some personal lab machines and delegate the queries for records in that subdomain to a pair of DNS servers at my house (in RFC1918 space on my home network)

I followed the cloudflare instructions for Delegating Subdomains Outside of Cloudflare and as far as i can tell there’s no issue with my DNS config however i cannot query my subdomain’s DNS records successfully from my home network.

If i run dig hostname.subdomain.domain.com i don’t get an A record answer returned. i’ve tried using,, However if i add the trace option dig hostname.subdomain.domain.com +trace I do receive the correct A record answer.

If i query my internal DNS servers directly i get the correct answer as well. I feel like this is my fault and i’m missing something either at cloudflare or with my named config but i’ve been looking around both here in the cloudflare community as well as on the general internet all morning and i’m still stuck.

Any advice on what to do, or other places to look?

Why Wait
Don’t wait for an answer, find it fast! Search for #CommunityTip error:
Example: #CommunityTip 521

If the nameserver is only available on your private network, you need to use a resolver that is also hosted on your private network.

Public resolvers will obviously be unable to query nameservers on your private network.

This works because dig then queries your local nameservers directly instead of relying on a recursive resolver.


Thank you, do you know if there’s a set of IPs or subnets that cloudflare publishes that i can permit through my firewall and DNS servers?

I’m not sure what you mean by that.

If you want to use local nameservers, you can either use a local resolver or create NS records in Cloudflare with your public IP address.

Otherwise, you could directly publish your records with private IP addresses in Cloudflare.

1 Like

I was thinking of creating a NAT on my router to one of the DNS servers to i could allow external traffic through. And if i did that i’d want to lock it down as much as possible. I have a feeling that’s not going to be a good solution either though as it needs to be generally available.

I have a local resolver set up now that i use and it all works fine but I’ve been trying to save the rest of my household from having to rely on my lab machines which is why i’m trying to find a DNS solution that lets me still use my internal DNS for my projects while primarily relying on cloudflare’s public DNS for everything else we do at home.

Why do you want to use a local nameserver instead of publishing records with private IPs directly from Cloudflare?

1 Like

I’m not sure if I’m missing something or misunderstand, but do you just want your machines to use your resolver and your family to use Cloudflare’s? If so, why not set static IPs and DNS on your LAN for your machines to force your resolver for your machines, and set your DHCP server to use Cloudflare’s DNS for all the other machines?

Or run your machines on a different subnet to the family’s and set the appropriate DNS for each?

Or are you saying you want to just resolve your own domain names locally, and send everything else to Cloudflare’s? If so, that’s sort of what I do. In the offices we use DNSmasq in a TrueNAS jail(*) and at home use Pi-hole. Both send *.internal.company.net (resolving to LAN IPs) and *.private.company.net (internet IPs we don’t want in the public DNS that we can’t proxy) to our company resolver (accessible only from known IPs and zero trust tunnels) and all other queries are forwarded to Cloudflare’s DNS.

(*) Some routers such as my old Draytek Vigor and software solutions like OPNsense will do this for you as well.

I mostly just didn’t want to put my private IP space out in the “public” but that would work perfectly fine and be super easy to do.

It also is a bit sloppy as it would resolve for anyone who queries it - including me - when i’m not at home and the hosts are unreachable.

I’ll look into your suggestion sjr, this sounds interesting.

For now i put in a domain specific resolver in MacOS for the subdomain which, while a hack, is a functional one.

I did a couple of things this morning that i’ll live with for a while. It does what i’m looking to do right now anyway and is totally manageable. i’ll check out what you (sjr) suggested. I have a couple of extra PIs and haven’t spent any time with pi hole before and it sounds worth looking into.

For now i’ve got my old c.2002 configuration in place :wink:

  • Pri / Sec DNS servers at my house in 1918 space acting as authoritive for a subnet of my domain
  • the tld dns remains hosted with cloudflare
  • all hosts at home are on that sub-domain and in that ip space
  • recursive DNS from my 2 DNS hosts goes out to cloudflare
  • i’ve got some extra stanzas defined in my named config as well as on my home router so i can quickly and easily bypass my internal DNS when i want to, or use different public resolver at certain times etc…

I just went through my hosts and updated domain names, cleaned up reverse dns etc, everything’s nice and clean now.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.