DNS A record pointing to private IP address [duplicate]

I own a domain. I will call it example.com. I want to set up a local BIND server on my private network. I have a box with the private IP address of 192.168.2.13

I would like to have this box named development.example.com, Is it considered normal practice to add an A record for example.com at my DNS provider pointing to the private ip (192.168.2.13), so that development.example.com can resolve to my machine inside my private network?


Solution 1:

Is it considered normal practice to add an A record for example.com at my DNS provider pointing to the private ip (192.168.2.13), so that development.example.com can resolve to my machine inside my private network?

That will certainly work, but it's not best practice as it opens the door for a bit of information leakage about your private network.

Run an instance of DNSMasq locally, which all of your LAN clients can point to. Then in DNSMasq you can add additional hosts to your domain and/or host-overrides that will take precedence over your authoritative DNS server externally.

Solution 2:

There's no problem doing that - in fact, one of the major consumer router manufacturers used to provide a domain name which had an A record pointing to 192.168.0.1 (though I can no longer find any documentation of this).

However, if you will only need this DNS record on your local network, you should run a local DNSmasq or TinyDNS as suggested by @EEAA above.

The situation where I would put the private address in a public DNS server is if you are using Vagrant (or similar) Virtual Machines for development. For example, if I had a Vagrant VM for development of example.com with the IP address 192.168.53.123 which is a private address only accessible on the machine hosting the VM, then I would create an A record for vm.example.com which points to 192.168.53.123 so that other developers can use it without needing to add their own DNS records locally.

Solution 3:

Absolutely valid. There's a way to persent different versions of the same zone with ISC's BIND to different requesters (it's called "view"), so you can limit this information to the LAN only, if needed. But I doubt you'd would bother.

Solution 4:

Perfectly fine, you can for example have a server with two interfaces and resolve the name internally to the local address and for the web with public address, as was already mentionend with views in bind.

For one machine it's probably easier to just add an entry to /etc/hosts:

192.168.2.13 development.example.com

If you want use bind and expose this entry to the external world, it probably will not matter because you don't have authority over the domain example.com and nobody will ask you.

But if you think about a real name from your domain, it would be nice to have an external address that at least points to one of your servers that will answer with an error message instead of letting people wait forever until they realize they are not in the internal network. (forgot to start tunnelblick/openvpn, or whatever reason)

  • just read your comment about windows 8, there should be a hosts file too.