I hope someone can help me with this – I thought – simple task.
Situation:
On my private LAN I run an Internet-Router ("Fritz!Box") and a Raspberry Pi with Ubuntu 20.04 LTS on it. I developed a little Spring Boot Web-App for private purposes that I only want to use in my LAN (or maybe reach via VPN from the outside). The native URL of the Web-App is "http://ubuntu:8080", because my Raspberry is called "ubuntu" and the app runs on a Tomcat-Server.
Now I want to expose an URL like e.g. "http://thats-my.app" inside the LAN and use it as base URL for the app. For the moment, curl on the ubuntu can reach it, my other PC can't.
Even better would be a FQDN "http://wow.thats-my.app" (with a subdomain) so I can use the same domain and top-level-domain for all apps, and only vary the subdomain, like "http://super.thats-my.app" and so on..
Disclaimer: Since I work via SSH all configuration is done Terminal-only. Please consider that I don't use the Desktop Surface of Ubuntu.
Thank you in advance for your time and hopefully for your help!
Here are the setups I did to the ubuntu system. What is not shown here is commented out!:
ufw
Status: active
To Action From
-- ------ ----
[ 1] 9090/tcp ALLOW IN Anywhere # UBUNTU-COCKPIT
[ 2] 3306/tcp ALLOW IN Anywhere # MYSQL
[ 3] Apache Full ALLOW IN Anywhere # :80,:443
[ 4] Bind9 ALLOW IN Anywhere # :53
[ 5] OpenSSH ALLOW IN Anywhere # :22
[ 6] 8080:8090/tcp ALLOW IN Anywhere # TOMCAT
[ 7] 9090/tcp (v6) ALLOW IN Anywhere (v6) # UBUNTU-COCKPIT
[ 8] 3306/tcp (v6) ALLOW IN Anywhere (v6) # MYSQL
[ 9] Apache Full (v6) ALLOW IN Anywhere (v6) # :80,:443
[10] Bind9 (v6) ALLOW IN Anywhere (v6) # :53
[11] OpenSSH (v6) ALLOW IN Anywhere (v6) # :22
[12] 8080:8090/tcp (v6) ALLOW IN Anywhere (v6) # TOMCAT
/etc/hosts
127.0.0.1 localhost.localdomain localhost
127.0.1.1 ubuntu
127.0.1.1 thats-my.app
(–> no entries for IPv6)
/etc/apache2/sites-available/thats-my.conf
<VirtualHost *:80>
ServerName thats-my.app
ServerAlias thats-my
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPreserveHost On
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
</VirtualHost>
–> Symbolic link to sites-enabled directory
/etc/bind/named.conf.local
zone "thats-my.app" IN {
type master;
file "/etc/bind/forward.thats-my.app.db";
allow-update { none; };
};
zone "178.168.192.in-addr.arpa" IN {
type master;
file "/etc/bind/reverse.thats-my.app.db";
allow-update { none; };
};
/etc/bind/named.conf.options
options {
directory "/var/cache/bind";
forwarders {
1.1.1.1;
1.0.0.1;
8.8.8.8;
8.8.4.4;
};
dnssec-validation auto;
listen-on-v6 { any; };
allow-query { any; };
};
/etc/bind/forward.thats-my.app.db
$TTL 604800
@ IN SOA ns1.thats-my.app. admin.ns1.thats-my.app. (
5 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns1.thats-my.app.
ns1 IN A 192.168.178.23
/etc/bind/reverse.thats-my.app.db
$TTL 604800
@ IN SOA thats-my.app. admin.thats-my.app. (
4 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns1.thats-my.app.
ns1 IN A 192.168.178.23
23 IN PTR ns1.thats-my.app.
–> input to Terminal:
sudo systemctl restart named
sudo systemctl restart apache2
sudo systemctl restart bind9
–> DNS Configuration in the Router
Set DNS IPv4 IP to 192.168.178.23 (primary and secondary)
Set DNS IPv6 IP to IPv6 address of the ubuntu machine (primary and secondary)
Here's what I got:
On the local Ubuntu-Server
$ curl thats-my.app -> OK
$ dig thats-my.app -> status: NOERROR *but* SERVER 1.1.1.1#53 ???
$ dig thats-my.app @127.0.1.1 -> "connection timed out!"
$ dig thats-my.app @192.198.178.23 -> "connections timed out!"
On the LAN Windows-PC PowerShell
curl thats-my.app -> cannot be resolved
On the LAN Windows-PC Chrome Browser
http://thats-my.app -> Website unreachable / DNS_PROBE_FINISHED_NXDOMAIN
If you look at the "dig" – results it seams to me that Bind9 doesn't work right here. What do you think?
Thanks!
Best Answer
I finally found a solution: The router ("AVM Fritz!Box", very common in Germany) has a security feature "DNS-Rebind-Protection" which prevents DNS requests from within the LAN to another host inside the LAN. As you set up an exception by typing e.g. the TLD "lan" or in the case above "app" in the textbox, your local DNS server works perfectly fine. You can remove the forwarders.
PS: You don't need the entry in /etc/hosts !
PPS: https://bind9.readthedocs.io/en/latest/index.html
Good luck!