HeadlinesBriefing favicon HeadlinesBriefing.com

Secure Internal Services with Split-Horizon DNS

Hacker News •
×

Managing TLS certificates for internal services often presents a choice between self-signed certificates, which require client trust configuration, or exposing services publicly. This approach advocates for a 'split-horizon DNS' strategy, where internal services like Grafana resolve to internal IP addresses when accessed from a VPN, but to public IPs externally. This allows the use of trusted certificate authorities like Let's Encrypt for secure, automatic certificate issuance and renewal.

The setup involves a VPN with DNS resolver capabilities (Netbird is recommended), an ACME client (acme.sh), and a reverse proxy with WAF features (Nginx). Netbird's Custom Zones handle the split-horizon DNS configuration, directing internal traffic to the correct IP. The acme.sh client is used to issue certificates, with the --standalone flag enabling it to temporarily use port 80 for verification without requiring Nginx to listen on it persistently. Nginx then serves the traffic, binding to the VPN network interface as a WAF layer to block external access.

Automated certificate renewal is managed via a cron job that runs acme.sh --cron. This job ensures updated certificates are copied to Nginx's configuration and that Nginx is reloaded. The author also touches on using Subject Alternative Names (SANs) for multiple subdomains under a single certificate, avoiding the need for wildcard certificates. This layered security approach, combining split-horizon DNS with a WAF, provides a robust solution for securing internal applications.