DNS how to protect internal sub domains from leaking to public/internet?


I’ve read a bit about how to do this with BIND and zones/views…here’s a couple examples:

The goal of course is to protect the internal server names and ips from being disclosed to the global internet through DNS.

Is there a tutorial or standard way on how to do this with Nethserver (or dnsmasq?)


DNS server usually is not available for query from red interfaces…

Thanks, Pike. I do want to get it right though. To add some keywords to the pile, apparently this is referred to as "SPLIT DNS"

Here’s a good article describing methods and some problems we may encounter when our internal servers/service subdomains are leaked to public:

By Nethserver perspective, is correct what i wrote:
DNS i used only for local network and internet cache.
If internet query some of the public DNS hosts/zone should query the SOA, usually (in italy) the DNS of the registrar/maintainer of the domain.

1 Like

Based on the headline of that link, it’s dealing with Certificate Transparency logs, which are now mandatory for all public CAs. Thus, if you get certificates for your internal servers using Let’s Encrypt, they will be published to CT logs, and the world will be able to see the names being used. One way to avoid this would be to use a wildcard certificate, which you can’t do through the Neth GUI, but this wiki article gives a way to do it (and this article gives another way). That will not, however, disclose the IP addresses of those internal servers.

1 Like

DNS server usually is not available for query from red interfaces…

@pike I guess I see now. The DNS used in nethserver (dnsmasq) by default is intended for DNS services for the inside network only.

Correct–it doesn’t act as a public-facing DNS server. It does with my acme-dns module installed, but that’s only for a very limited purpose. But if you’re concerned about internal hostnames being exposed, the only way to avoid that is either to not get certificates for them, or to get a wildcard cert.

Thanks, Dan! Very helpful responses.

In this case, we actually have (2) domains registered.

One is external and used for company email addresses i.e. @widgets-external-use.com – with the email being manged by another provider outside with most users using that providers webmail solution (i.e. Google, Microsoft, hosted business email, etc.). I suppose one day it will have a public website as well. That domain is not used anywhere inside.

The other similar sounding domain like widgets-INTERNAL-use.com we registered intentionally to be used for the inside network - with possible VPN connections/remote workers to the corporate lan later. This is the domain we’re using with nethserver and for our servers and resources behind the firewall.

So it looks like we’ll research more on the solutions you’ve posted and get a wildcard certificate through LE.