I have some subdomains that go to my home address (I know I should put it through a VPS first but I’ll get to that when I have time).
If I connect to example.domain.tld and DNS records point back to my own IP, where does that data go to reach back to my device?
This is something you can easily do from the command terminal. For Windows, use Tracert. Linux and Mac, maybe even iPhone and Android have their own commands to run a trace route, too (I don’t know them off the top of my head).
It’s called “traceroute” on Linux and Mac because there was never a 8.3 filename limitation on them.
Microsoft had to put it on a diet. It was getting a little FAT.
Take my upvote and get out.
Daaamn that was the nerd version of a KenM rejoinder! Well played.
Depends, you can set it up a few different ways.
-
you can set the dns so each subdomain resolves to a different port with your ip, in which case your router can forward that port to any local address on your network with port forwarding rules.
-
reverse proxy, this is most common. You use a service to do the translating for you. Your router forwards all requests on port 80 and 443 to your reverse proxy. The reverse proxy takes requests for subdomain1 and forwards it to the associated ip/port locally.
I have a reverse proxy set up already. The path from the outside goes:
DNS -> my IP -> reverse proxy -> server
I’m just wondering what happens when my own devices on the same network go to the domain.
https://en.wikipedia.org/wiki/Network_address_translation#NAT_hairpinning
TL;DR Your router sees you trying to reach your external address and routes the connection back to your LAN without leaving the network.
This does still depend on a functional internet connection however, as your client gets your public IP from a public DNS server over the Internet.
If you were to run a DNS server locally (I use pihole for this), you could have that DNS respond with your local IP, allowing clients within your LAN to resolve the name without needing to reach out to public DNS. This means your local connections will still work when your internet is down; it also provides more privacy by keeping those requests local and can let you make local-only names that aren’t publicly listed.
Of the ~28 FQDNs in my setup, only 4 are public. The rest is local/vpn only and not publicly listed due the above. The reverse proxy then drops all connections that don’t use one of those recognised names, before even completing the TLS handshake. (So direct connections from someone port scanning my IP or using a domain name someone else has pointed at my IP are completely ignored/dropped without response. The server doesn’t even send the TLS cert so as to not expose the names defined in it.)
Devices on your domain will typically do a DNS lookup, which gets your public IP. Then they connect to that public IP, which your router recognises and redirects back into your network. The router then forwards that to your reverse proxy.
If your router isnt doing that properly (timing out usually), look up a setting usually called “NAT loopback” or “NAT hairpinning”. Thats the setting that detects your public IP, and redirects it back inward.
Also if you have your own net filter like PiHole or AdGuard Home with DNS rewrites set up, and you use it as a DNS server in WiFi settings, then it works a small bit differently. (I need to do this because my current ISP removed their DNS settings page for the new model). A public IP and NAT routing is never needed, as the device contacts the DNS server via the router Access Point, and the DNS server translates the service’s FQDN into its internal IP. Aside from that, provided everything is set up correctly, all actual data packets go from device ←→ router ←→ service. If the router lost connection to the Internet this wouldn’t break communications.
You already have a bunch of NAT-level suggestions, so I wanted to mention there’s an alternative solution: split-horizon DNS, or simply split DNS. Basically, you run a DNS server in your LAN (like pi-hole) which resolves to the private IP, so resolving externally and internally give different results. This way packets don’t hit the router at all. You can also do a wildcard like
*.something.lanto avoid having to add a record for every service, and only configure your reverse proxy.
-
DNS request will go to the DNS server but from what I can tell the packet wont go anywhere else. At least on my own network, traceroute gives only one entry and its the final destination. I assume this is because the router knows its own public IP and as such knows the packet doesnt need to be sent anywhere else.
You can see every hop an IP packet takes at IP level with
tracerouteormtr.




