I have a domain at cloudflare, DNS records for the top level domain appear to work normally and i can add/remove/edit records from the cloudflare dashboard without issue.
I want to setup a sub-domain for some personal lab machines and delegate the queries for records in that subdomain to a pair of DNS servers at my house (in RFC1918 space on my home network)
I followed the cloudflare instructions for Delegating Subdomains Outside of Cloudflare and as far as i can tell there’s no issue with my DNS config however i cannot query my subdomain’s DNS records successfully from my home network.
If i run dig hostname.subdomain.domain.com i don’t get an A record answer returned. i’ve tried using 1.1.1.1, 1.0.0.1, 8.8.8.8. However if i add the trace option dig hostname.subdomain.domain.com +trace I do receive the correct A record answer.
If i query my internal DNS servers directly i get the correct answer as well. I feel like this is my fault and i’m missing something either at cloudflare or with my named config but i’ve been looking around both here in the cloudflare community as well as on the general internet all morning and i’m still stuck.
Any advice on what to do, or other places to look?
Why Wait
Don’t wait for an answer, find it fast! Search for #CommunityTip error:
Example: #CommunityTip 521
I was thinking of creating a NAT on my router to one of the DNS servers to i could allow external traffic through. And if i did that i’d want to lock it down as much as possible. I have a feeling that’s not going to be a good solution either though as it needs to be generally available.
I have a local resolver set up now that i use and it all works fine but I’ve been trying to save the rest of my household from having to rely on my lab machines which is why i’m trying to find a DNS solution that lets me still use my internal DNS for my projects while primarily relying on cloudflare’s public DNS for everything else we do at home.
I’m not sure if I’m missing something or misunderstand, but do you just want your machines to use your resolver and your family to use Cloudflare’s? If so, why not set static IPs and DNS on your LAN for your machines to force your resolver for your machines, and set your DHCP server to use Cloudflare’s DNS for all the other machines?
Or run your machines on a different subnet to the family’s and set the appropriate DNS for each?
Or are you saying you want to just resolve your own domain names locally, and send everything else to Cloudflare’s? If so, that’s sort of what I do. In the offices we use DNSmasq in a TrueNAS jail(*) and at home use Pi-hole. Both send *.internal.company.net (resolving to LAN IPs) and *.private.company.net (internet IPs we don’t want in the public DNS that we can’t proxy) to our company resolver (accessible only from known IPs and zero trust tunnels) and all other queries are forwarded to Cloudflare’s DNS.
(*) Some routers such as my old Draytek Vigor and software solutions like OPNsense will do this for you as well.
I did a couple of things this morning that i’ll live with for a while. It does what i’m looking to do right now anyway and is totally manageable. i’ll check out what you (sjr) suggested. I have a couple of extra PIs and haven’t spent any time with pi hole before and it sounds worth looking into.
For now i’ve got my old c.2002 configuration in place
Pri / Sec DNS servers at my house in 1918 space acting as authoritive for a subnet of my domain
the tld dns remains hosted with cloudflare
all hosts at home are on that sub-domain and in that ip space
recursive DNS from my 2 DNS hosts goes out to cloudflare
i’ve got some extra stanzas defined in my named config as well as on my home router so i can quickly and easily bypass my internal DNS when i want to, or use different public resolver at certain times etc…
I just went through my hosts and updated domain names, cleaned up reverse dns etc, everything’s nice and clean now.
