1·
2 days agoCould you do a subdomain for internal? Using Nginx host base routing to get to the same port would let you have a valid cert for both service.lan.your.fqdn and service.your.fqdn.
Let’s Encrypt wildcard certs for the *.lan.your.fqdn would simplify things.
Your DNA server could then resolve the lan fqdns to your internal network and the non-lan to your Internet exposed?
Yeah, in that case, I’d probably split my DNS duties. I started with internal resolution by having Pihole do hard coded DNS entries for internal systems, but my current setup seems to be much more resilient.
I have two PowerDNS servers (main and replica) with recursors to Open DNS internet servers and resolvers for my lab network. It plays very nicely with Terraform or (crucially lately) Kubernetes.