{"id":2689,"date":"2026-02-04T13:16:23","date_gmt":"2026-02-04T12:16:23","guid":{"rendered":"https:\/\/yellotab.se\/x056\/?p=2689"},"modified":"2026-02-04T14:05:01","modified_gmt":"2026-02-04T13:05:01","slug":"split-dns","status":"publish","type":"post","link":"https:\/\/yellotab.se\/x056\/2026\/02\/04\/split-dns\/","title":{"rendered":"Split DNS"},"content":{"rendered":"\n

1\ufe0f\u20e3 Publika DNS-poster (extern)<\/strong><\/h2>\n\n\n\n

Syftet: allt som ska vara n\u00e5bart utifr\u00e5n, t.ex. webbsidor eller Nginx som v\u00e4nder ut\u00e5t.<\/p>\n\n\n\n

Namn<\/strong><\/th>Typ<\/strong><\/th>Pekar p\u00e5<\/strong><\/th>Anv\u00e4ndning<\/strong><\/th><\/tr><\/thead>
home.jidoka.se<\/td>A<\/td>Din publika IP<\/td>Publik \u00e5tkomst till Nginx Proxy Manager \/ hemsida<\/td><\/tr>
auth.jidoka.se<\/td>A<\/td>Din publika IP<\/td>Publik \u00e5tkomst f\u00f6r Freja eID \/ OIDC<\/td><\/tr>
ev *.jidoka.se<\/td>CNAME<\/td>pekar mot huvuddom\u00e4nen<\/td>om du vill ha wildcard f\u00f6r publikt cert<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\n

Publika poster ska alltid peka p\u00e5 din externa IP<\/strong>.
De ska inte<\/strong> anv\u00e4ndas av interna tj\u00e4nster som CA.<\/p>\n<\/blockquote>\n\n\n\n

\n
\n<\/blockquote>\n\n\n\n

Ubuiquity Ultra Gateway<\/p>\n\n\n\n

\n\n\n\n

2\ufe0f\u20e3 Intern DNS-poster (LAN \/ split-DNS)<\/strong><\/h2>\n\n\n\n

Syftet: allt som ska n\u00e5s internt med interna IP:er.<\/p>\n\n\n\n

Det g\u00f6r att Step CA, Home Assistant, RADIUS och andra interna tj\u00e4nster kan lita p\u00e5 cert utan att g\u00e5 via Internet.<\/p>\n\n\n\n

Namn<\/strong><\/th>Typ<\/strong><\/th>Pekar p\u00e5<\/strong><\/th>Anv\u00e4ndning<\/strong><\/th><\/tr><\/thead>
home.jidoka.se<\/td>A<\/td>192.168.1.37<\/td>Step CA, Nginx, interna tj\u00e4nster<\/td><\/tr>
auth.jidoka.se<\/td>A<\/td>192.168.1.37<\/td>Freja eID proxy internt<\/td><\/tr>
*.internal.jidoka.se<\/td>A<\/td>192.168.1.x<\/td>internt cert, mTLS, RADIUS etc<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\n

Po\u00e4ngen: samma namn som extern DNS kan \u00e5teranv\u00e4ndas internt, men pekar p\u00e5 lokal IP<\/strong>.
Detta \u00e4r split-DNS<\/strong>: externa anv\u00e4ndare g\u00e5r mot publik IP, interna mot LAN-IP.<\/p>\n<\/blockquote>\n\n\n\n

\n
\n<\/blockquote>\n\n\n\n
                 INTERNET\n                     |\n            -------------------\n            |                 |\n   Publik DNS (extern)    Intern LAN (split-DNS)\n            |                 |\n  home.jidoka.se  A -> PUB_IP    home.jidoka.se  A -> 192.168.1.10 (QNAP)\n  auth.jidoka.se  A -> PUB_IP    auth.jidoka.se  A -> 192.168.1.10 (QNAP)<\/code><\/pre>\n\n\n\n
\ud83c\udfd7 Steg f\u00f6r interna tj\u00e4nster<\/strong><\/h2>\n\n\n\n
    \n
  1. Step CA<\/strong>: k\u00f6r p\u00e5 QNAP, lyssnar p\u00e5\u00a00.0.0.0:9000\n
      \n
    • Interna cert-f\u00f6rfr\u00e5gningar \u2192\u00a0home.jidoka.se\u00a0via LAN-IP<\/li>\n<\/ul>\n<\/li>\n\n\n\n
    • Nginx Proxy Manager<\/strong>: anv\u00e4nder wildcard-cert\u00a0*.home.jidoka.se\n
        \n
      • Intern trafik \u2192 LAN-IP<\/li>\n\n\n\n
      • Extern trafik \u2192 publika IP<\/li>\n<\/ul>\n<\/li>\n\n\n\n
      • Freja eID \/ auth.jidoka.se<\/strong>:\n
          \n
        • Extern anv\u00e4ndare \u2192 publika IP<\/li>\n\n\n\n
        • Intern anv\u00e4ndare \u2192 LAN-IP<\/li>\n<\/ul>\n<\/li>\n\n\n\n
        • Interna testtj\u00e4nster \/ RADIUS \/ mTLS<\/strong>:\n
            \n
          • Anv\u00e4nder\u00a0*.internal.jidoka.se<\/li>\n\n\n\n
          • Cert genereras av samma Step CA<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"
            1\ufe0f\u20e3 Publika DNS-poster (extern) Syftet: allt som ska vara n\u00e5bart utifr\u00e5n, t.ex. webbsidor eller Nginx som v\u00e4nder ut\u00e5t. Namn Typ Pekar p\u00e5 Anv\u00e4ndning home.jidoka.se A Din publika IP Publik \u00e5tkomst till Nginx Proxy Manager \/ hemsida auth.jidoka.se A Din publika IP Publik \u00e5tkomst f\u00f6r Freja eID \/ OIDC ev *.jidoka.se CNAME pekar mot huvuddom\u00e4nen om du […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2689","post","type-post","status-publish","format-standard","hentry","category-news"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/yellotab.se\/x056\/wp-json\/wp\/v2\/posts\/2689","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/yellotab.se\/x056\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/yellotab.se\/x056\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/yellotab.se\/x056\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/yellotab.se\/x056\/wp-json\/wp\/v2\/comments?post=2689"}],"version-history":[{"count":4,"href":"https:\/\/yellotab.se\/x056\/wp-json\/wp\/v2\/posts\/2689\/revisions"}],"predecessor-version":[{"id":2696,"href":"https:\/\/yellotab.se\/x056\/wp-json\/wp\/v2\/posts\/2689\/revisions\/2696"}],"wp:attachment":[{"href":"https:\/\/yellotab.se\/x056\/wp-json\/wp\/v2\/media?parent=2689"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/yellotab.se\/x056\/wp-json\/wp\/v2\/categories?post=2689"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/yellotab.se\/x056\/wp-json\/wp\/v2\/tags?post=2689"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}