Is Using Public DNS for Private IPs a Smart Way to Avoid Self-Signed Certificates?

By
William Rossbach
-
0
3
Asked By CuriousCat123 On

Hey everyone! I'm currently working on deploying RabbitMQ within our private networks on AWS VPC. I want to keep it from being exposed through a Public Load Balancer since that adds extra costs, so I'm thinking of using private DNS instead. My plan is to either leave it as plain text or secure it with TLS. Best practices suggest that TLS is the way to go, which means I need certificates. However, I'd like to skip the hassle of managing self-signed TLS certificates since you can't get public certificates for private DNS records. This brings me to my idea: what if I use a public DNS that resolves to a private IP and then get public certificates from Let's Encrypt? Is this a good approach, or should I just go without TLS altogether?

5 Answers

Answered By TechGuru007 On

You don’t really need to rely on self-signed certificates. You can use your Certificate Authority (CA) to sign private certificates instead. Remember, Let's Encrypt issues certificates only for domains, not for your private IPs or DNS. You might want to clarify how PKI works and its relation to DNS before proceeding with the plan.

Answered By NetworkNinja88 On

I see this approach being used a lot, whether it’s for businesses or personal projects. Honestly, there’s not much of a downside. Yes, people might get a glimpse into your internal network, but that info is pretty harmless if they can’t access your private network.

Answered By LetsEncryptLover On

Make sure you’re using the correct challenge type for Let's Encrypt. For your scenario, the DNS-01 challenge is what you need, which will require you to add a TXT record for validation. A private IP associated with a public DNS isn’t going to work for their other challenge types.

Answered By DevOpsDynamo On

This feels like asking if you should leave your door unlocked just because managing the key is a hassle. Self-signed certs are quick to set up, and it might be worth investing some time into managing them or using an internal PKI solution instead of complicating things with DNS manipulation.

Answered By CloudSurfer92 On

If you're using Nitro instances to communicate, that’s already encrypted at line rates. While you shouldn't solely depend on AWS for security, they're providing encryption across their infrastructure, which is worth considering.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.