Hello,
i’ve got an DNS Problem with the newest android client.
I’m on a selfhosted instance behind an reverse proxy. I only allow acces from my local IP network range via the Reverseproxy. Works fine without problems for years.
To challenge the https-Certification i’ve setup an external record for my domain. In the newest Client and Server Version i cant connect from home with my phone app while in the local network.
Is it possible that the app uses different DNS resolvers and dont use the system once that are assigne on my phone? Thats the only possible szenario that could explain this behavior.
In the webserver accesslogs i see that my requests come from my external IP trough the webserver while using the app.
If i request the Bitwarden instance via Browserinterface on the same mobile device (android) all works fine and the webserverlogs show internal ip as is should be.
I am not sure if the Bitwarden mobile client has any hardcoded DNS settings or if it would simply default to the underlying system DNS settings, it could very well be that your phone has cached the records for the URL of your Bitwarden instance.
This is partially the issue if you are utilizing split-brain or split horizon DNS as it is known.
Ideally you would have a URL for your public facing site with public DNS records set for bitwarden.example.domain which points to the public IP of your reverse proxy, i.e. 8.8.8.8
While your internal DNS records would simultaneously point to a separate domain or subdomain for internal network traffic and an internal record such as bitwarden.intranet.example.domain which points to the internal IP of your server i.e 192.168.1.1
Ultimately I would recommend trying to clear the cache for your phone, possibly delete cached app data for Bitwarden or reinstall the app if that does not work.
You may also want to set the TTL for your self-hosted record down to a lower number to assist when switching from internal to external networks.
This is partially the issue if you are utilizing split-brain or split horizon DNS as it is known.
Ideally you would have a URL for your public facing site with public DNS records set for bitwarden.example.domain which points to the public IP of your reverse proxy, i.e. 8.8.8.8
While your internal DNS records would simultaneously point to a separate domain or subdomain for internal network traffic and an internal record such as bitwarden.intranet.example.domain which points to the internal IP of your server i.e 192.168.1.1
The Probleme here is that this isnt possible through the missing options in the client for this.
Further on my network side nothing changed and this setup works without problems for years. The TTL is deliberately low because i know about these case.
Sadly, reinstall the app/appdata and reboot the phone wont changed anything. The phone self cant be the problem because the browser works fine. It must be an problem inside the app itself.
Any other ideas?
Sadly I do not know of any other method to clear the DNS cache for the application if either clearing the cached application data or uninstalling/reinstalling the app wouldn’t do.
I couldn’t imagine that Bitwarden would hardcode any type of DNS servers, and would most likely utilize the system ones.
Once thing I am a bit curious about though is this,
If you are wishing for Bitwarden to only be accessible on your local network, i.e within your home while connected to Wi-Fi, and not available to the greater outside world. Why expose the connection in the first place?
You could perhaps utilize ACME’s DNS-01 challenge to gather the certificate.
This would allow you to get a valid cert for your self-hosted Bitwarden instance, while not having to expose or open any ports or connections to the outside greater internet.
Your reverse proxy can use this, and Bitwarden would only be available inside your network or via an internal VPN.
No need for an additional external DNS record for your Bitwarden instance since it would only be internally available.
This may be more what you are looking for anyways, and should solve the issue of cached DNS and split-horizon DNS from the same name record.
Thanks for your Information.
Unfortunately my dns/domain registrar wont support LE with an API, so DNS-Validation is not possible without great effort.
But as a workaround i will be change everything to Wildcard, so i need only change 1 record every 3 month istead of 100.
Not a nice solution but i’m sure it will be work and solve the bitwarden issue.
A bit sad that the problem could not be solved here, but anyways much thanks for your help and thoughts!