I ran this command: Opened another website in my browser from within my home network (where the domain is hosted).
It produced this output: The random website (maybe one in 50 page loads) lands on a “Warning” browser page, and my csb.sh cert is shown as the site’s cert.
Initially looks like this:
It “looks” like something local to your system or network is proxying your web requests…
[SSL inspection?]
Check your proxy settings, your anti-virus, from other systems in that network.
@JuergenAuer I don’t have any hosts file changes, but I am using my home router as my DNS server so that it can resolve hostnames to local IP addresses.
@rg305 I am only having this issue on my local network. It’s happening across all of the computers (my housemate’s as well, which I haven’t configured/touched at all).
You need to update the DHCP server to handout only functional DNS IPs.
Your statement:
Implies you would need to use your router as a DNS server to get to those IPs.
Routers are routers.
Use DNS servers for DNS.
Bypass the router (for DNS) and use those same IPs in your DNS clients.
Thanks rg305. Originally I had the router set up to just resolve local DNS, but systemd rotates through DNS servers, so half the time local hostnames would resolve and half the time they wouldn’t. Then I switched to using dnsmasq on the router to manage local and remote lookups.
I’m not sure if that’s the right way to do things though.
DNS has gotten more complicated in recent years.
Today, if you have 3 DNS server, your client will send out 3 DNS requests.
Whichever answers first is taken as gospel (regardless of however it may conflict with any other reply).
So the sense of primary/secondary/etc. DNS has gone out the window.
All DNS systems would need to answer ALL DNS requests.
If you need local DNS resolution, you won’t be able to find that consistently when included Internet DNS IPs.
So you will need to run an internal DNS system that can provide local and Internet DNS resolution.
[and just use that single IP for DNS - if yo uneed redundancy, you will need to add another similar one]
Thanks rg305, it looks like I have some more learning to do. I started to take down my dnsmasq service, to replace with hosts entries, and then remembered that one of the reasons for trying to do this split-dns in the first place is so that a URL to my RSS reader in an app on my phone will resolve both inside and outside of my home network. Android won’t let me pick a DNS server, so my only option appears to be making the LAN dns server handle these local names.
I think I did find a clue to what’s going wrong with dnsmasq though:
Jan 20 17:23:55 bns-wrt daemon.info dnsmasq[1808]: query[A] npr.gov from 192.168.13.130
Jan 20 17:23:55 bns-wrt daemon.info dnsmasq[1808]: cached npr.gov is NXDOMAIN
Jan 20 17:23:55 bns-wrt daemon.info dnsmasq[1808]: query[A] npr.gov.csb.sh from 192.168.13.130
Jan 20 17:23:55 bns-wrt daemon.info dnsmasq[1808]: config npr.gov.csb.sh is 192.168.13.13
A friend talked the networking situation over with me and recommended I stop trying to use split-dns and instead do “nat hairpinning” to allow loopback to the external IP from within the network. To that end I disabled dnsmasq in dd-wrt and turned off “Filter WAN NAT Redirection.” So far so good, though this does mean I’ve given up on resolving local hostnames within the network. Instead I’m just going to set the IPs of the ones I care about in my SSH config.
How is this any different/better than using DNS.Google?
If you can provide real world DNS with IP entries for your "local hosts", you can use Internet DNS and hairpin, or NOT hairpin, to them.
That is, if say "a.local.share" can be accessed via "localshare.real.name" (which resolves to local IP) you don't need hairpinning.
If say "a.local.share" must be accessed via "localshare.real.name" (which resolves to a real Internet IP) you will need hairpinning.
[In either case you don't need a DNS for "local hosts"]
What I mean is that with this new setup I don’t have private IPs resolved to their hostnames anymore, inside the LAN. I was using the dnsmasq to turn ssh mycomp.csb.sh into the correct local IP. So, separate from public/real DNS.