Remix.run Logo
raffraffraff 2 hours ago

Hmm. I don't really care enough about leaking home network host names because they are all super generic names like 'router', 'laptop', 'tv', 'nas'. So I use my public zone on cloudflare. I just use internal ip addresses (eg: nas.example.com = 10.1.2.3) on the public zone and DNS01 challenge for let's encrypt. Anyone can resolve the ip for any of my hosts, but obviously you'd need to be on the wireguard vpn to hit them.

This means that I can always use public DNS servers like 1.1.1.1, 8.8.8.8, nextDNS etc

This is not "done right" by any stretch but it's extremely low effort to set up and has never once failed me, unlike countless complex meshy things.

graton 30 minutes ago | parent | next [-]

I do the same thing. I'm not worried about them seeing my FQDNs.

I use the form of hostname.int.example.com for everything inside my home network. None of which is accessible to the outside world. I use LetsEncrypt with DNS validation to get the certificates.

luckman212 2 hours ago | parent | prev | next [-]

Fair, but what about names that are specific enough to give an attacker a clue to a potential attack surface, like "authelia.example.com" - now they know you've likely got an Authelia setup, and can start digging for exploitable CVEs etc. I'm in the process of removing all my individual certs and replacing with a wildcard cert served by Traefik. Is that a bad idea?

bbkane 2 hours ago | parent | next [-]

Can they dig for exploitable CVEs if they're not on the Wireguard network? It is a clue to your infrastructure, but I personally think the simplicity is worth it.

icedchai 33 minutes ago | parent | prev | next [-]

Do the names resolve to publicly routeable IPs? If not, I wouldn't worry about it.

nijave an hour ago | parent | prev [-]

My IaC is on public GitHub. They could do a network scan to find software then fingerprint to find version anyway.

Removing attack surface is better than trying to hide it.

icedchai 35 minutes ago | parent | prev [-]

This is similar to what I do, except I have my own authoritative DNS servers instead of Cloudflare.

I'd prefer this over split DNS, any day.