16

I own a domain. I will call it example.com. I want to set up a local BIND server on my private network. I have a box with the private IP address of 192.168.2.13

I would like to have this box named development.example.com, Is it considered normal practice to add an A record for example.com at my DNS provider pointing to the private ip (192.168.2.13), so that development.example.com can resolve to my machine inside my private network?

Ryan
  • 322
  • 1
  • 4
  • 10
  • 2
    As long as you understand that this ip address won't be reachable except by those on your internal network. The other consideration is that external clients may inadvertently be redirected to a host on their own network if they use the same ip address range and resolve this A record for your domain. – joeqwerty Jun 27 '14 at 18:45

4 Answers4

10

Is it considered normal practice to add an A record for example.com at my DNS provider pointing to the private ip (192.168.2.13), so that development.example.com can resolve to my machine inside my private network?

That will certainly work, but it's not best practice as it opens the door for a bit of information leakage about your private network.

Run an instance of DNSMasq locally, which all of your LAN clients can point to. Then in DNSMasq you can add additional hosts to your domain and/or host-overrides that will take precedence over your authoritative DNS server externally.

EEAA
  • 108,414
  • 18
  • 172
  • 242
  • So, bind is not necessary? – Ryan Jun 27 '14 at 18:10
  • 3
    Correct, it's likely that BIND is overkill for what you need. – EEAA Jun 27 '14 at 18:11
  • Okay, so using DNSMasq would allow me to not have to worry about setting up the A record at the DNS provider? – Ryan Jun 27 '14 at 18:12
  • Yep, that's correct. To your internal clients, it would appear as if there was a proper A record, but that record would only resolve from your DNSMasq clients. – EEAA Jun 27 '14 at 18:13
  • I apologize for all the questions. Do I need to run a DNSMasq on a dedicated private IP on my lan? – Ryan Jun 27 '14 at 18:18
  • It doesn't need to be dedicated. – EEAA Jun 27 '14 at 18:18
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/15387/discussion-between-rpm-and-eeaa). – Ryan Jun 27 '14 at 18:19
  • 1
    No thanks, can't right now. As far as your original question is concerned, you have your answer. Look into getting DNSMasq set up. If you have further questions about that process, post them as a separate question. – EEAA Jun 27 '14 at 18:20
6

There's no problem doing that - in fact, one of the major consumer router manufacturers used to provide a domain name which had an A record pointing to 192.168.0.1 (though I can no longer find any documentation of this).

However, if you will only need this DNS record on your local network, you should run a local DNSmasq or TinyDNS as suggested by @EEAA above.

The situation where I would put the private address in a public DNS server is if you are using Vagrant (or similar) Virtual Machines for development. For example, if I had a Vagrant VM for development of example.com with the IP address 192.168.53.123 which is a private address only accessible on the machine hosting the VM, then I would create an A record for vm.example.com which points to 192.168.53.123 so that other developers can use it without needing to add their own DNS records locally.

Community
  • 1
Moshe Katz
  • 3,053
  • 3
  • 26
  • 41
  • So, I run the development instance as a server VM from Windows 8, I can get to the VM via my browser if I type the IP address in, but not if I type the hostname. – Ryan Jun 27 '14 at 18:36
  • (Replacing an old comment with broken links.) If you literally can't connect to the VM at all by name, that means the DNS is not configured correctly (or hasn't had time to propagate). Run nslookup DNS_NAME to see if that is the case. If you connect to the VM and get a "default" webserver page, then your VM's web server is just not configured to respond to that name and you need to configure it. – Moshe Katz Jan 19 '17 at 17:44
4

Absolutely valid. There's a way to persent different versions of the same zone with ISC's BIND to different requesters (it's called "view"), so you can limit this information to the LAN only, if needed. But I doubt you'd would bother.

poige
  • 9,171
  • 2
  • 24
  • 50
3

Perfectly fine, you can for example have a server with two interfaces and resolve the name internally to the local address and for the web with public address, as was already mentionend with views in bind.

For one machine it's probably easier to just add an entry to /etc/hosts:

192.168.2.13 development.example.com

If you want use bind and expose this entry to the external world, it probably will not matter because you don't have authority over the domain example.com and nobody will ask you.

But if you think about a real name from your domain, it would be nice to have an external address that at least points to one of your servers that will answer with an error message instead of letting people wait forever until they realize they are not in the internal network. (forgot to start tunnelblick/openvpn, or whatever reason)

  • just read your comment about windows 8, there should be a hosts file too.
marty
  • 41
  • 2
  • I have control of the DNS. I don't want the internal machine exposed to the world. – Ryan Jun 28 '14 at 01:13
  • Just add it then, if not as view and if you have people working from home on that machine, consider putting up a fake server like in my answer. – marty Jun 28 '14 at 01:24
  • So, I made an A record for `dev.example.com` pointing to 192.168.2.13 and it is working. What do you mean a fake server? – Ryan Jun 28 '14 at 01:29