I have a domain that requires HSTS preload. I want to self host a few things using that domain (and subdomains), like nextcloud, pihole, and vaultwarden. How much of an issue is HSTS preload going to be if I do that? Will I need to set up a wildcard cert for everything? Or will it just work™️ because it’s internal or traffic is through a VPN?

I can’t find much about this so any help would be appreciated!

  • just_another_person@lemmy.worldEnglish
    2·
    9 days ago

    Then you just need to run a DNS Forwarder, or something with a DNS forwarding capability. Your router most likely already has this.

    DNS is essentially just a request and a response from a service. These can be public or private. A DNS Forwarder on your network will quickly respond if it knows that something is when asked, and return an IP address. If it doesn’t know what it is, it will ask the public services available.

    So if you have an internal-only network, a VPN into that network, and a forwarder or other DNS service on that network, you just tell your VPN client of choice to switch to using that DNS instead of public once it connects. It’s a simple setting that every VPN solution supports, and actually makes you MORE secure by not using public DNS servers by default. You can add any record you want to said forwarder, and it will return whatever value you give it for a given domain name.

    Here’s a simple workflow as an example:

    1. Setup all your services
    2. Setup names in your local DNS for each service like “service1.jimmypoops.dev”, or “jellyfin.woopsiedoodle.net
    3. Install VPN client on your phone and make sure your internal DNS server name is used for that connection
    4. Connect to VPN from phone and request the DNS names you added
    5. You DNS will return the correct IP to visit.

    All contained within your local network and VPN by extension.

    No need for public DNS entries or TLDs and HSTS requirements.