I have duckdns and nginx setup for remote access to my HA instance.
I recently got a new modem (for new internet connection) and now I can’t access HA with <domain>.duckdns.org from my home network.
Current status: HA access using <domain>.duckdns.org when connected to home network - Doesn’t work
HA access on local IP when connected to home network - Works
HA access using <domain>.duckdns.org when connected to cellular network or home network with VPN - Works
All of these used to work just fine before switching the modem. I have searched reddit and this forum for 2 days but I am still stuck.
I have forwarded external port 443 to internal port 443 on the new modem just like I had on the old modem.
There exists good documentation for how to set it up, and when properly followed the chances of “breaking their network” are no greater than anything else they may be doing.
Simply telling someone “it can’t be done” doesn’t help them at all, especially when it’s not accurate.
I have dd wrt router and I have set up a dnsmasq record in it to reroute requests for my duckdns domain to internal ip address. Now I am able to access my duckdns domain from home network again.
Based on what I know about dnsmasq, I think this is safe to do but one question,
Is it OK to use the config of dnsmasq as I have set it up ? Any risks I am opening myself to ?
You’re fine to just use the A record you have configured on your ddwrt, no need to add the dnsmasq add-on.
dnsmasq is simply the name of a DNS server add-on. DNS servers come in many different flavors, from BIND on *nix, to Windows DNS, to dnsmasq, and many others that are purpose-built appliances for security (such as Cisco’s Umbrella, and others). At their core, they all do the exact same thing - resolve FQDNs to IP addresses.
All that entry is doing is when systems on your internal network ask for the IP address of your duckdns domain, your ddwrt system is returning the internal IP address, rather than your internal machines querying public DNS servers and getting the external IP address. Using a DNS A record provides better performance by keeping internal traffic off your firewall, and depending who you ask, is also more secure than hairpinning the firewall. From a purely traffic-focused point of view, that is the optimal way of addressing the issue.
There may or may not be additional mitigating factors in your particular environment that would make nginx a desirable addition, but if your only goal is HTTPS access of your Home Assistant server from the inside, then what you have done has accomplished that goal.
As for whether or not it is secure - I don’t know much about ddwrt. As long as that internal DNS server isn’t exposed to the internet, then no data leakage can occur. However, even if it were exposed to the internet, the most an attacker could get would be the internal IP address of your Home Assistant server. Since private, internal IP addresses are non-routable on the public internet, an argument could be made that it’s not a very useful piece of data anyway. Since you’ve posted your internal IP here on the forums, I think you are already of the opinion that it’s not a very sensitive piece of data to begin with - and I tend to agree.