colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

bind: enable reverse DNS on select networks

Browse Source
This commit is contained in:
Colin
2025-07-01 16:18:33 +00:00
parent dd2aee0e10
commit 195e420181
2 changed files with 9 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
hosts/common/net/dns/bind.nix
View File

@@ -86,6 +86,12 @@ in
// and as of 2025-01-30 BIND9 gives no way to disable DNSSEC per-forwarder/zone,
// so just disable it globally
dnssec-validation no;
// XXX(2025-06-30): i need reverse DNS of private IP space such as 10.0.0.0/8.
// configuring those zones (done in a secrets/ file), unfortunately requires disabling
// ALL local entries for reserved zones (IN-ADDR.ARPA, IP6.ARPA, EMPTY.AS112.ARPA, HOME.ARPA, RESOLVER.ARPA).
// TODO: figure a better solution, as this likely causes reverse-DNS queries of LAN hosts to be sent to the WAN!
// - see <https://www.as112.net/>
empty-zones-enable no;
'';
# re-implement the nixos default bind config, but without `options { forwarders { }; };`,
# as having an empty `forwarders` at the top-level prevents me from forwarding the `.` zone in a separate statement

6
secrets/common/tailscale-work-zones-bind.conf.bin
View File

@@ -1,5 +1,5 @@
{
"data": "ENC[AES256_GCM,data:ct3YP4okeobuz7vQbKO4GTiPs4LItvLfglruc0AXOFZV9sGV2fnrJ77VG9O7B0wZ2Mkoo2qhSgnHB9Ql90gH0q9a/6tygfOqa3k44hWS1DwefsvIEf3oMSZ9K7PRSO1GBtfXYwTSHz2hG++yMc5fSyAY98Y8gv33DPYwT5Wut1QSfq35Ec8XVt38Oso2Bkcl1Q0hE5a/FDhoqc5rDjYkdUapQpDNskJ6i3A1Db16hArNvKhq4Q5c7XOMTb+aI1NL5/WzPWVNCHRFURF+JgswP9HNQsvnHlWuW72cD5BcLFugmzdHfeagzu7oBZ9EczazyP6HqnoEeYmf6T3YghYbq/ulDMgdV98/iu8Z8eLy85QMlNRvyV66gdA5i7sbqwU9Riyvvfs0BE19b5DfHipzf7/0mz62ZPLOciXqw+GzyVndzVSUCGnuM3AENFUuQABeAwOndCIRUdL/3XrOxcGP04vtNPaROCn1XCiJiAysFps95Nk0j3DSIpYi+44CQeYm00XCZgAc8dnr+Vu6CTOz7CBSmWkSUAOm3Ogs4gk8qDfVjS9xIZPdhUlgyW7e492fTY6S3A29FWKREIu3pTW/3TTEOaAmmaucwV2cU48XjG36PuyfYfVmYbv97OXjKp5yHgjY0Q1vVeEvQI4LhFirJ4VcUYxFJ+uatygFiGJZXPS6mJKj8J6HN08eGNZOG1foRA==,iv:Nk/FJy8kc7/O1ov3m3OCPHGA0YXnXD3BeTWhCBl2Ttg=,tag:q5clW6bww5wwD/kiPfIuGQ==,type:str]",
"data": "ENC[AES256_GCM,data:XHHpAQOEgPdP/ARrkPLT2+u/64LnTOr9kDIsc+7rPLgXrFWW8XCwjQu6kswasogQW3fDPNE2Wf2wfrxeDjVIdKiCy7hykrqQJBR6l0XKcc+pKTYO4gmFjSy0DzOZaFxCkQK5uJrjT5FqGvjptigMaGbic/atF8dZ+uA0jCYDHc3MUWLtr3nDAbTGcJWiyTvPIqXWQkLsrkqr1MFNh6uQXNxaBs4SwSXE2j6C0kxEMmJ40FqCE25RpEn51GVGxQypWFRHVk2Hf3AsUeqDP/DzfFHGyN3n7LRY1zj2YCwXE1uERscnGBpf3BPaNblnMCTbnpc0lse8FHsqqfnly+GuB0UWBSmGIMKv1YMJYREXaHg80QWtWxCapIu/g6JMpgYAznBuoUp9TPEZUlBLK7WPqfMS21vjFOx+CwpTlho0IR5siB+6xwBAKOn+D2RKZzVKAXawRCjcxH3XSdXOOjjejfWQRTVr3tbyMrYc82msWRhVusKbhE8n11X1QWMj7IpsQ/YrrnksdW8nJsx94/LtogeKRnRlamOvTdA3jFow1k80UgCWbzouY14fY1BM5+Ygmrd+j5HP/duR7XT0YeYBWWVzrtNvVPIjtc0NyBmDNM/Ok5gQnxmrAilfF+51zd1spCuK5XYs7tr42VyKSbZ4lUiYEXSKYUnKT+tvju7+sdM5gQZiLnzvyFauxVEJapYm/tJlkGOvwSrIXtTWWBG0vcLnHglSKKrDPzqSrfUgXO6qjCCCHcL+k70K5chME8qRtlnIHFi1VWAXUBPnK7auk0X8+o4/J0tEQz4FmGMw+eUSwaNWFHnef8JcWj/HduImmYeVGYu9UrPrHFicKU0vWUOm4aKJYdfdOp/NoVuxFjlNWrIKZcXbE+lVsZonqSmMMue/xxaeiZFGj2IzfnShONGwadATyeV2c9sG7GVDVmAWWIVEOH6ZGaTcokR9IaMB9HthvKtROY5wOz0xn63XIH0g0jf/53HxCarF3aeEzrR9b/Z3rzmerXiC9+mdNirGftZkBcz3CSUa/353H9+WsF0ZSTQEPUUW8S9rzI1SXbJNK8L5Zk5D74jGBROprBzd9Q1am+f0dxjUEnAWiOEB1xx87gm6sGq1Sip3LqqvCxH6+rlE0q14JyjAzSSu3e9PAOSvFCmcx/jaJcTCJ5mPDdxRtysX4YR7OfGrMK74pI/SnE8Ksa22myocrcgHVCmC8Y4BcfmFd3zwxTXSOrUCurd287Sy99ggWIOCI2V/y9qN1QWtIo5vsNg5eDzqTBh40M+1SPSfby3SkyDWgvuXS0pizGWAQbjM0bRDRibcr8RkFi+aOmjHLand9vXhSSJ6c+Whm4Xlf3RKDB0MfY1xOCkmqq521Un0+OMYo6NGap+ncAjjujQ7MSS2nINWM71K6Lhd0WYwHCMpL2ReaEk5ixZc+QAw6e1En0+JIYPbdhTG3RdP2Qqx0ynNLdYBIpBgT8kPxc449YFdCZMNubQ5w06umgaBa6YZNaERAJWYs+F3wjyNed8srGONvu+ntb0fTyTbtf9F7H/8woOMHsQqoITzqPelGVSLXIzGYxu6Har0CBpzPQBhqIYc,iv:DAaEQ42a9R8MfcBraprLvTUiYzDa1u2oFI59URaQTR8=,tag:W02NY0kKtHfyPIA++zXiqQ==,type:str]",
"sops": {
"age": [
{
@@ -47,8 +47,8 @@
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1MmQ2cjl6aDFGUmtUNE5U\nWFVPWW41Y0thaFNTZjhYbFJWbUkzaWtnRVNnCkI2UDl2d0gxQm9DalhLbk9vMTRF\nTFJSMDFHaTkvOU0ySytOVGxvUnpMVWcKLS0tIGdKcTJpOXE0cXdYeWpqTjhqWUFx\nRGJxc0x1MmdnUVpld1h1cHVzd2Y1cVkKbzFG7oaz8bZjqPgmz+mZReC0rjehgsRf\nBs/RDOdq5FvGuNm52/x/wEs9cm5oOgew1YIH+aN60Yk14mP+KAjLTg==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-05-30T04:32:06Z",
"mac": "ENC[AES256_GCM,data:50DijLN+OJ1ByoQLVPElfIjkEznLaO0TOL/Ne7/y+Slx5wwBUn9si/Rh7nPrB7ugvtsuSRg7q2GKHU4ALr18pCnR7bNbL6BK8SkUjQioj7civD7gvvF2vh9VjsEDC2s3ONePf2RbjEwUzFr1vRGKVtUcqtw8sShGaW6Wq8vaL8A=,iv:1huo1ykQJnKa8wNsykHuF3/FjhyFk/Pfksd7iAdXQwU=,tag:rqyAeiE1TJMvMpKsx2lRjw==,type:str]",
"lastmodified": "2025-07-01T07:48:14Z",
"mac": "ENC[AES256_GCM,data:SGL9hICKxD6BhgSVDo04wiPk8L7O70lN/h1LCbe41UmpSV8cI0Q6DBX5k6s5QjfaRjct3J3X1uOWd8XGMH5IsQlIgK2/RQfBXHkk9hXt8A8NXNEBEYI4crtvxu4CKbXog+poaowqNqSYhJfnrBHmcitJN4/rXZ7sPCSsdaeSUwU=,iv:2O3iJEn38+GejqQs59WReSuHZ6wOJOAn2jE/FoZWVcE=,tag:hxrf5H/nXX5ElMsnh22v3w==,type:str]",
"unencrypted_suffix": "_unencrypted",
"version": "3.10.2"
}