Let’s say I’ve got Nextcloud selfhosted in my basement and that it is accessible on the world wide web at nextcloud.kickassdomain.org. When someone puts in that URL, we’ll have all the fun DNS-lookups trying to find the IP address to get them to my router, and my router forwards ports 80 and 443 to a machine running a reverse-proxy, and the reverse-proxy then sends it to a machine-and-port that Nextcloud is listening to.
When I do this on my phone next to that computer hosting Nextcloud, (I believe) what happens is that the data leaves and re-enters my home network as my router sends the data to the IP address it is looking for (which is itself). This would mean that instead of getting a couple hundred Mbps from the local wifi (or being etherneted in and getting even more), I’m limited by my ISPs upload speed of ~25Mbps.
Maybe that just isn’t the case and I’ve got nothing to worry about…
What I want my network to do is to know that nothing has to leave the network at all and just use the local speeds. What I tried before was using a DNS re-write in Adguard such that anything going to my kickassdomain would instead go to the local IP address (so like nextcloud.kickassdomain.org -> 192.168.0.99). This seemed to cause a lot of problems when I then left the house because, I assume, the DNS info was cached and my phone would out in the world and try to connect to that IP and fail.
My final goal here is that I want to upload/download from my selfhosted applications (like nextcloud) without being limited by the relatively slow upload speed of the ISP.
Maybe the computer already figured all this out, though - it does seem like my router should know it’s own IP and not bother sending things out into the world just for them to come back.
If it matters, my IP address is pretty stable, but more importantly it is unique to me (like every house in the neighborhood has their own IP).
Updates from testing: So everything does indeed just work without me needing to change how I already had it set up, presumably because the router did the hairpin NAT action folks are talking about here.
I tested it by installed iperf3 on the server then I used my phone (using the PingTools Network Utilities android app, only found on google play and not on f-droid) to connect. Here are the results:
- Phone to local IP address (192.168.0.xxx) - ~700 Mbits/second
- Phone to speedtest.mykickassdomain.org while still on the wifi - ~700 Mbits/second
- Phone on cellular to speedtest.mykickassdomain.org - ~4 Mbits/second
Set up an internal dns server that will resolve your specific host name to an internal ip and forward everything else.
If you just want a specific site, you can use bind and response policy zones. The advantage of this is that you can now configure your dns server to take advantage of block lists on the internet and block malware/ads/tracking domains.
AKA, split DNS. Doing it this way is a bit cleaner than hairpin NAT as mentioned in other comments, but both options work fine in a home network.
i think this is what I was doing with Adguard and using the re-write rules, but then the client (my phone, for example) would cache the IP address and it would fail when I was out of the house/network.
Or am I misunderstanding what you are saying here?
Hmm, caching has never caused problems with split DNS for me, but it’s really hard to debug what was going on with your setup. Split DNS is really common and is the preferred way to solve this, so most browsers have logic to handle it. You might have had something misconfigured, but unfortunately it’s really hard to diagnose.
I guess I should say that I think there were caching issues, but the problem was coming from an iphone and the Bitwarden app (connecting to the self-hosted vaultwarden).
Impossible to say, could be the app is doing something funky, could be iOS, could be lotta things.
I will note, my preferred solution is to do none of the above, and I only do split DNS for one particular service. I much prefer just using an always on Wireguard VPN that is set to only route traffic to my internal subnets and to use my internal DNS server. Then I just use internal names. Wireguard basically runs at line rate on my setup, so half the time I don’t even turn it off at home. This also gives you the option to use DNS ad blocking (eg adguard) on the go.
If it is caching you can always set a ttl to a lower value like 5 seconds. And systems should be clearing the dns cache on a new ifup.