Split horizon dns not working

Shiroe93 · February 25, 2026, 11:06pm

i’m trying to configure split horizon dns in my unifi router for home assistant after i configure the A record in unifi to mi home assistant IP i get this error Unable to fetch auth providers. https://mydomain/? auth_callback=1
any idea on how to solve this?

WallyR · February 25, 2026, 11:22pm

There is an issue with the DNS after the list update.
I have posted an issue for it, but if it has been heard is uncertain.
You are welcome to post in the issue too.

github.com/home-assistant/addons

Edit: probably a coreDNS issue in HAOS. (Let's Encrypt app with lego use SOA records from non-authorative DNS)

opened 03:27AM - 19 Feb 26 UTC

WallyDW

### Describe the issue you are experiencing I am running a domain name on a spl…it-DNS setup. The public and authoritative DNS servers for the domain is hosted on Cloudflare's DNS service. The internal is my router's DNS service. This setup allowed me to get a wildcard certificate with the previous versions of the Let's Encrypt addon and I could then use it internally for HTTPS connections. The new Let's Encrypt app is however using the internal DNS server, ie. the router's, to do some SOA record lookups and that is failing because the router's DNS service do not provide any SOA records. I do not know why it do the SOA lookups for certificate generation. My only guess is that it might try to extract the "state of authority" value for the DNS edit actions later. In anyway the result is that it crashes due to the missing SOA record. The app should probably have an option and maybe even have it set to default use a public DNS service, since Let's Encrypt require you to use them anyway for the authentication process. The DNS service have to be local to the app however, since a change in HA's settings would prevent a split-DNS setup with certificates. ### What type of installation are you running? Home Assistant OS ### Which operating system are you running on? Home Assistant Operating System ### Which app are you reporting an issue with? Let's Encrypt ### What is the version of the app? 6.0.4 ### Steps to reproduce the issue 1. configure a public domain name on an internal DNS service without a SOA record (a SOA record with false informations might be used too) 2. set HA up to use that DNS service 3. try to create a certificate for the domain name ... ### System Health information ## System Information version | core-2026.2.2 -- | -- installation_type | Home Assistant OS dev | false hassio | true docker | true container_arch | amd64 user | root virtualenv | false python_version | 3.13.11 os_name | Linux os_version | 6.12.67-haos arch | x86_64 timezone | Europe/Copenhagen config_dir | /config <details><summary>Home Assistant Community Store</summary> GitHub API | ok -- | -- GitHub Content | ok GitHub Web | ok HACS Data | ok GitHub API Calls Remaining | 5000 Installed Version | 2.0.5 Stage | running Available Repositories | 2757 Downloaded Repositories | 43 </details> <details><summary>Home Assistant Supervisor</summary> host_os | Home Assistant OS 17.1 -- | -- update_channel | stable supervisor_version | supervisor-2026.02.2 agent_version | 1.8.1 docker_version | 29.1.3 disk_total | 97.7 GB disk_used | 41.5 GB nameservers | 10.10.12.1 healthy | true supported | true host_connectivity | true supervisor_connectivity | true ntp_synchronized | true virtualization | kvm board | ova supervisor_api | ok version_api | ok installed_addons | Node-RED (21.0.2), Log Viewer (0.17.1), Mosquitto broker (6.5.2), Samba share (12.5.4), Grafana (12.1.0), Glances (0.21.1), Studio Code Server (6.0.1), Samba Backup (5.2.0), MariaDB (2.7.2), Advanced SSH & Web Terminal (23.0.2), ESPHome Device Builder (2026.2.0), Matter Server (8.2.2), InfluxDB (5.0.2), SQLite Web (6.0.0), chrony (6.0.1), OpenThread Border Router (2.16.4), Let's Encrypt (6.0.4) </details> <details><summary>Dashboards</summary> dashboards | 6 -- | -- resources | 30 views | 24 mode | yaml </details> <details><summary>Network Configuration</summary> adapters | lo (disabled), enp0s18 (enabled, default, auto), docker0 (disabled), hassio (disabled), veth0ba009d (disabled), vethd0bde8f (disabled), vethe5a3de3 (disabled), veth3458ab7 (disabled), veth2e238fc (disabled), vethc955971 (disabled), veth35dd00a (disabled), veth31fb07d (disabled), vethc5eba4f (disabled), vethf82434d (disabled), veth40659b4 (disabled), wpan0 (disabled) -- | -- ipv4_addresses | lo (127.0.0.1/8), enp0s18 (10.10.12.10/24), docker0 (172.30.232.1/23), hassio (172.30.32.1/23), veth0ba009d (), vethd0bde8f (), vethe5a3de3 (), veth3458ab7 (), veth2e238fc (), vethc955971 (), veth35dd00a (), veth31fb07d (), vethc5eba4f (), vethf82434d (), veth40659b4 (), wpan0 () ipv6_addresses | lo (::1/128), enp0s18 (fd18:9309:ec6b:d34a:dea7:d0da:294a:1c0c/64, fe80::f90b:77d9:c156:1573/64), docker0 (fe80::ace7:20ff:fe87:a01f/64), hassio (fe80::bc10:eaff:fe55:4dd3/64), veth0ba009d (fe80::bc3d:88ff:fed1:2c81/64), vethd0bde8f (fe80::c81:36ff:fee9:2b54/64), vethe5a3de3 (fe80::78cc:91ff:fed0:ceac/64), veth3458ab7 (fe80::6080:1cff:fe47:d190/64), veth2e238fc (fe80::e8c0:77ff:fe84:7667/64), vethc955971 (fe80::dc01:b3ff:fe90:c020/64), veth35dd00a (fe80::f42f:4eff:fe68:dfa7/64), veth31fb07d (fe80::1817:88ff:fe80:4ea7/64), vethc5eba4f (fe80::8052:9eff:fecf:72f4/64), vethf82434d (fe80::6048:d3ff:fe13:228f/64), veth40659b4 (fe80::6830:71ff:fe19:c4a2/64), wpan0 (fd44:e4e9:b944:d5ea:0:ff:fe00:fc11/64, fdd3:bfaa:eebe:1:f0f6:af77:9e2:61a9/64, fd44:e4e9:b944:d5ea:0:ff:fe00:fc38/64, fd44:e4e9:b944:d5ea:0:ff:fe00:fc10/64, fd44:e4e9:b944:d5ea:0:ff:fe00:d000/64, fd44:e4e9:b944:d5ea:1eba:fbd0:9932:645f/64, fe80::f4e9:1ed3:273:3337/64) announce_addresses | 10.10.12.10, fd18:9309:ec6b:d34a:dea7:d0da:294a:1c0c, fe80::f90b:77d9:c156:1573 </details> <details><summary>Recorder</summary> oldest_recorder_run | 8 January 2026 at 01:35 -- | -- current_recorder_run | 16 February 2026 at 19:23 estimated_db_size | 3877.75 MiB database_engine | sqlite database_version | 3.49.2 </details> ### Anything in the Supervisor logs that might be useful for us? ```txt None ``` ### Anything in the app logs that might be useful for us? ```txt The error is listed as "certbot.errors.PluginError: cloudflare: failed to find zone dk.: zone could not be found", where dk is my TLD. Running with verbose activated gives a lot of text related to authorization issues. However Cloudflare do not detect any attempts to connect to the API when this error occur. ``` ### Additional information I have another domain that worked flawlessly both before and after the update, so I knew the setup works generally. I can make the app work if I add a local DNS with a SOA record. I can make the other domain fail if I move that to my router's DNS service without SOA. I have used wireshark and can confirm the SOA lookup to the local DNS service for the domain that are defined on that. There is not much on the internet regarding this error text, but Idez's last comment in this [thread](https://community.traefik.io/t/cloudflare-failed-to-find-zone-com-zone-could-not-be-found/8512/7) directed me to the cause.

You can do a “ha dns options --servers dns://1.1.1.1” to solve it currently, but it will not be permanent saved, so a restart of the OS might remove the added server again.

Shiroe93 · February 25, 2026, 11:28pm

i have to use cloudflare dns for the command eve if i use something else?

WallyR · February 25, 2026, 11:31pm

If you do a “ha dns info” then you will probably see your current split-DNS listed as a local and not as a server and that is the issue.

I just realized that I actually got it to work by adding my own DNS server as a server, so it is both listed as a local and as a server, which worked for renewing Let’s Encrypt certificates.

Shiroe93 · February 25, 2026, 11:35pm

how i add it as a server?

locals:
- dns://1.1.1.1
- dns://149.112.112.112
- dns://192.168.50.1
- dns://192.168.50.46
- dns://9.9.9.9
mdns: true
servers: []
update_available: false
version: 2026.02.0
version_latest: 2026.02.0

server is blank right now

WallyR · February 25, 2026, 11:41pm

Yeah and that is the issue.
It seems like locals are only used for reverse-DNS, so something is wrong with the add DNs server routine in HAOS.

use “ha dns options --servers dns://x.x.x.x --servers dns://y.y.y.y --servers dns://z.z.z.z”

Shiroe93 · February 25, 2026, 11:45pm

i send this command but it said the server flag does not exist

Shiroe93 · February 26, 2026, 1:40am

manged to find the issue i wrote server instead of servers but still no result

dtrott · February 26, 2026, 2:09am

Still not clear on what issue you are trying to solve:

Setup your public DNS
Issue the certificate
Install the cert on HA (if desired) - I don’t care / haven’t done this.
Make sure HA’s IP is static.
Place an A record in your internal DNS for HA.
Setup Dynamic DNS for your external IP (if required).
Forward a port from outside to HA (again optional / you may want to use a VPN instead).

Done.

Shiroe93 · February 26, 2026, 6:00am

i’ve done most of this
i’ve cloudflare dns setup with my domain
i have ngnix proxy manager with a ssl wildcard certificate for my services including HA
what i’m trying to achive is a split horizon dns to have ha with ssl in my internal network so i can have two-way audio from my doorbell and acces to microphone
but when i create the A record into unifi i get this error Unable to fetch auth providers. https://mydomain/? auth_callback=1

WallyR · February 26, 2026, 6:33am

In a split-DNS setup you do not use the public DNS, because it holds the wrong entries for internal usage.

WallyR · February 26, 2026, 6:35am

Where do you get that error?
In Unify or HA?
If it is HA, then you might also need to look at Authentication providers - Home Assistant

Shiroe93 · February 26, 2026, 8:02am

what do i have to add? a trusted network?

WallyR · February 26, 2026, 9:03am

I am not really sure.
I do not use a reverse proxy. I prefer a VPN instead and that means local connections.

dtrott · February 26, 2026, 9:41am

If there was no external component, it wouldn’t be called “Split Horizon DNS” it would be called “Internal DNS”. **

** - Well technically you could have two internal horizons, but that would be an unusual configuration.

Assuming an internal/external split horizon, there will always be an external DNS “component” - either a dedicated one or your local DNS server may be configured to service both in which case your local DNS server is globally authoritative - hence it is a public DNS when accessed from the internet.

For clarity:

Hosts on the internet use Public DNS.
Hosts on your LAN use the internal version.

Some hosts can be exclusively listed in either the public or internal versions.
When hosts are listed in both, they typically have:

The internal IP in the internal DNS.
The IP of your router in the public DNS. **
A port forward (on the router) to forward them to the correct internal IP.

** - Well I use a CNAME pointing to a DDNS record - so only one record has to change.