When all parts come together ;) I now have S3 compatible storage with #garage in my homelab, using #nginx as reverse proxy and secured with a certificate from my own #StepCA based CA (Certificate Authority) that gets auto-renewed by #certbot. And this all works without any internet connection, as I also have a DNS server for my home network with the correct CNAME entry for s3.
Conversation
Notices
-
Embed this notice
Jan Wildeboer 😷:krulorange: (jwildeboer@social.wildeboer.net)'s status on Tuesday, 13-Jan-2026 23:24:33 JST 
Jan Wildeboer 😷:krulorange:
-
Embed this notice
Mauricio Teixeira 🇧🇷🇺🇲 (badnetmask@hachyderm.io)'s status on Tuesday, 13-Jan-2026 23:24:23 JST 
Mauricio Teixeira 🇧🇷🇺🇲
@ben @jwildeboer @thasl @homelab
I don't use Firefox, so I was curious about this conversation, so I did some digging.I created a new/empty Firefox profile and noticed that even with DoH enabled by default, Firefox will resolve "home.arpa" using your local DNS server (RFC 8375). It doesn't do the same for "*.local" or "*.internal" (reserved, but no RFC yet).
This basically means that if you use "home.arpa" you don't have to mess around with any browser settings to have internal resolution.
With all that said, while I find it very cool that Mozilla provides the canary domain, I would reinforce that a best practice is to still use DoH to resolve upstream on their local DNS resolvers, even if your resolution inside your local network is plain text. Since Pi-hole was mentioned in this thread, I will link the document on how to set this up.
-
Embed this notice
Ben Tasker (ben@mastodon.bentasker.co.uk)'s status on Tuesday, 13-Jan-2026 23:24:24 JST 
Ben Tasker
@jwildeboer @thasl @homelab Glad I could help!
-
Embed this notice
Jan Wildeboer 😷:krulorange: (jwildeboer@social.wildeboer.net)'s status on Tuesday, 13-Jan-2026 23:24:26 JST
Jan Wildeboer 😷:krulorange:
@ben Thank you for the explanation and hints! With that I found https://bind9.readthedocs.io/en/latest/chapter6.html#example-using-rpz-to-disable-mozilla-doh-by-default and added the changes to my bind config so it now gives NXDOMAIN which should fix the problem for Firefox. I really despise having to make such application specific changes but I'll be able to live with this one. @thasl @homelab
-
Embed this notice
Ben Tasker (ben@mastodon.bentasker.co.uk)'s status on Tuesday, 13-Jan-2026 23:24:27 JST
Ben Tasker
Chrome based browsers should "just" work (there'll be an exception somewhere though)
For Firefox based browsers, the simplest way is to use the canary domain (you have to make use-application-dns.net NXDOMAIN).
In case you were thinking of deploying pihole onto your network: it does that automatically (https://docs.pi-hole.net/ftldns/configfile/#mozillacanary), everything does just work after that
-
Embed this notice
Nils (thasl@social.tchncs.de)'s status on Tuesday, 13-Jan-2026 23:24:29 JST 
Nils
@ben that makes so much sense, thanks for the hint! I indeed have the same domain for externally available services as well as my homelab, I always wondered why FF would only _sometimes_ resolve correctly to my internal IPs.
What would the best approach be here? Have a completely separate domain only for the homelab? @jwildeboer what are you using here? I figured using an existing domain would make sense so I could get certs via the LE DNS challenge. Own CA would be an option, but again only for devices I control, not guests.
But anyway thanks for all the input, very valuable as I am only at the start of my homelab journey :) @homelab -
Embed this notice
Ben Tasker (ben@mastodon.bentasker.co.uk)'s status on Tuesday, 13-Jan-2026 23:24:30 JST
Ben Tasker
DoH only really poses an issue if you've got split-horizon DNS (i.e. there's also a public facing record).
Firefox (for example) will attempt to use DoH, but if resolution fails that way it'll fall back to local DNS (FF also has a canary domain you can use to disable DoH).
Chrome's even simpler, it just tries DoH to your system configured resolver (and falls back if DoH can't be done).
Basically, you can just DHCP your DNS as normal and it all sort of works
-
Embed this notice
Nils (thasl@social.tchncs.de)'s status on Tuesday, 13-Jan-2026 23:24:32 JST
Nils
@jwildeboer @homelab very cool, I am also planning to test out Garage after your recent posts!
How do you handle DNS settings of your end devices with that internal DNS? A lot of browsers now default to public DoH, and will thus not get the internal DNS entries. I can of course deactivate that for devices under my control, but for homelab services I want to make available to guest this is an issue I have not yet solved. -
Embed this notice
Mauricio Teixeira 🇧🇷🇺🇲 (badnetmask@hachyderm.io)'s status on Tuesday, 13-Jan-2026 23:45:54 JST
Mauricio Teixeira 🇧🇷🇺🇲
@jwildeboer @ben @thasl @homelab
Probably expected: "home.arpa" resolution does not work on "Max Protection", but still works on "Increased Protection". -
Embed this notice
Jan Wildeboer 😷:krulorange: (jwildeboer@social.wildeboer.net)'s status on Tuesday, 13-Jan-2026 23:45:56 JST
Jan Wildeboer 😷:krulorange:
@badnetmask If possible (and you have the time and energy) could you try again with DoH set to "Max Protection"? According to the docs [1] this should result in: "Firefox will always use secure DNS. You'll see a security risk warning before we use your system DNS." @ben @thasl @homelab
-
Embed this notice
Mauricio Teixeira 🇧🇷🇺🇲 (badnetmask@hachyderm.io)'s status on Wednesday, 14-Jan-2026 00:12:34 JST
Mauricio Teixeira 🇧🇷🇺🇲
@ben @jwildeboer @homelab
On the visitors situation: by the time they need to use my home services with my custom domain and custom cert, either they should trust what I say, or I should guide them to load my private CA. At any rate, that's a very rare case (visitors using my local services), at least for me. -
Embed this notice
Ben Tasker (ben@mastodon.bentasker.co.uk)'s status on Wednesday, 14-Jan-2026 00:12:36 JST
Ben Tasker
@badnetmask @jwildeboer @homelab Oh you know what, I think I misread what you meant and we're on the same page :D
-
Embed this notice
Ben Tasker (ben@mastodon.bentasker.co.uk)'s status on Wednesday, 14-Jan-2026 00:12:37 JST
Ben Tasker
@badnetmask @jwildeboer @homelab
Yep, it'll resolve home.arpa locally.
But, that's no good if you want to do SSL *and* have it work on visitors devices (because issuing with your CA won't help unless you also add your CA cert to their devices - they'd have to **really** trust you for that)
Not sure I agree on the best practice bit though.
Having FF use your local resolver (which ideally uses encrypted upstreams) is (IMO) far better because it reduces centralisation.
-
Embed this notice
Mauricio Teixeira 🇧🇷🇺🇲 (badnetmask@hachyderm.io)'s status on Wednesday, 14-Jan-2026 00:32:20 JST
Mauricio Teixeira 🇧🇷🇺🇲
@jwildeboer @ben @homelab
If my visitors stumble upon any of my home services, either I need them to, or I made a configuration mistake, because my visitors are supposed to be connected to an isolated VLAN. 😄 -
Embed this notice
Jan Wildeboer 😷:krulorange: (jwildeboer@social.wildeboer.net)'s status on Wednesday, 14-Jan-2026 00:32:22 JST
Jan Wildeboer 😷:krulorange:
@badnetmask I actually use it a s kind of security by obscurity thing. I have my own CA and all my machines have and trust the root cert. So if a visitor stumbles upon something, they have to ask me to help them with using that ;) @ben @homelab
-
Embed this notice
All GNU social JP content and data are available under the