dns: rework so that we branch to the LAN v.s. WAN results based on source IP of the query -- not interface.

this simplifies the UPnP forwards and the OVPN routing
2023-05-31 00:56:52 +00:00 · 2023-05-31 00:56:52 +00:00 · 5cc7ced859
commit 5cc7ced859
parent 4dc5378b3e
3 changed files with 25 additions and 12 deletions
--- a/hosts/by-name/servo/net.nix
+++ b/hosts/by-name/servo/net.nix
@ -6,6 +6,9 @@
  sane.services.wan-ports.openFirewall = true;
  sane.services.wan-ports.openUpnp = true;

+  # view refused packets with: `sudo journalctl -k`
+  # networking.firewall.logRefusedPackets = true;
+
  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
  # Per-interface useDHCP will be mandatory in the future, so this generated config
  # replicates the default behaviour.
@ -153,9 +156,9 @@

      # we also bridge DNS traffic
      ${in-ns} ${iptables} -A PREROUTING -t nat -p udp --dport 53 -m iprange --dst-range ${vpn-ip} \
-        -j DNAT --to-destination ${veth-host-ip}:1053
+        -j DNAT --to-destination ${veth-host-ip}
      ${in-ns} ${iptables} -A PREROUTING -t nat -p tcp --dport 53 -m iprange --dst-range ${vpn-ip} \
-        -j DNAT --to-destination ${veth-host-ip}:1053
+        -j DNAT --to-destination ${veth-host-ip}

      # in order to access DNS in this netns, we need to route it to the VPN's nameservers
      # - alternatively, we could fix DNS servers like 1.1.1.1.
--- a/hosts/by-name/servo/services/trust-dns.nix
+++ b/hosts/by-name/servo/services/trust-dns.nix
@ -78,9 +78,9 @@
        > ${zone-lan}

      # launch the different interfaces, separately
-      ${pkgs.trust-dns}/bin/named --port 1053 --zonedir ${zone-dir}/wan/ $@ &
+      ${pkgs.trust-dns}/bin/named --port 53 --zonedir ${zone-dir}/wan/ $@ &
      WANPID=$!
-      ${pkgs.trust-dns}/bin/named --zonedir ${zone-dir}/lan/ $@ &
+      ${pkgs.trust-dns}/bin/named --port 1053 --zonedir ${zone-dir}/lan/ $@ &
      LANPID=$!

      # wait until any of the processes exits, then kill them all and exit error
@ -93,7 +93,22 @@

  sane.services.dyn-dns.restartOnChange = [ "trust-dns.service" ];

-  # for WAN visibility
+  networking.nat.enable = true;
+  networking.nat.extraCommands = ''
+    # redirect incoming DNS requests from LAN addresses
+    #   to the LAN-specialized DNS service
+    # N.B.: use the `nixos-*` chains instead of e.g. PREROUTING
+    #   because they get cleanly reset across activations or `systemctl restart firewall`
+    #   instead of accumulating cruft
+    iptables -t nat -A nixos-nat-pre -p udp --dport 53 \
+      -m iprange --src-range 10.78.76.0-10.78.79.255 \
+      -j DNAT --to-destination :1053
+    iptables -t nat -A nixos-nat-pre -p tcp --dport 53 \
+      -m iprange --src-range 10.78.76.0-10.78.79.255 \
+      -j DNAT --to-destination :1053
+  '';
+
+  # because the NAT above redirects in PREROUTING, LAN requests behave as though they arrived on the external interface at the redirected port
  networking.firewall.allowedUDPPorts = [ 1053 ];
  networking.firewall.allowedTCPPorts = [ 1053 ];
 }
--- a/modules/services/trust-dns.nix
+++ b/modules/services/trust-dns.nix
@ -189,13 +189,8 @@ in
  config = mkIf cfg.enable {
    sane.services.trust-dns.generatedZones = mapAttrs (zone: zcfg: genZone zcfg) cfg.zones;

-    # TODO: we need the UPnP port to map WAN 53 -> LAN 1053
-    # else we'll be giving LAN IPs to WAN requests.
-    # until then, manage forwards manually.
-    # sane.services.wan-ports.tcp = [ 53 ];
-    # sane.services.wan-ports.udp = [ 53 ];
-    networking.firewall.allowedUDPPorts = [ 53 ];
-    networking.firewall.allowedTCPPorts = [ 53 ];
+    sane.services.wan-ports.tcp = [ 53 ];
+    sane.services.wan-ports.udp = [ 53 ];

    systemd.services.trust-dns = {
      description = "trust-dns DNS server";