Skip to content
1 min read

Internal DNS override with CoreDNS

Resolving your public domains to private addresses, cleanly.

ReliableMaintainable

The problem

Services carry public names (service.domain.fr) but live on a private network. From the inside, resolving the public name raises two problems. Traffic leaves only to come back: a pointless detour, and a dependency on external connectivity. And for private services, the name simply must not resolve publicly; someone still has to answer internally.

The naive solutions age badly: per-machine hosts files (guaranteed drift, impossible on mobile), or exotic internal names (service.local) that break TLS and force everything to be configured twice.

The pattern

An internal zone that is authoritative for the self-hosted domains, served by CoreDNS to private network clients only:

The same name therefore works everywhere (internal network, Internet, tailnet), and TLS remains valid since the wildcard certificate covers the public name in use.

The pitfalls

Why it’s interesting

It is a small setup, but it touches a real system invariant: name resolution is contextual. Understanding it means understanding a whole class of network bugs commonly dismissed as impossible.