From 5cc7ced8593b3a7228faa79bf320f75640500551 Mon Sep 17 00:00:00 2001 From: Colin Date: Wed, 31 May 2023 00:56:52 +0000 Subject: [PATCH] dns: rework so that we branch to the LAN v.s. WAN results based on source IP of the query -- not interface. this simplifies the UPnP forwards and the OVPN routing --- hosts/by-name/servo/net.nix | 7 +++++-- hosts/by-name/servo/services/trust-dns.nix | 21 ++++++++++++++++++--- modules/services/trust-dns.nix | 9 ++------- 3 files changed, 25 insertions(+), 12 deletions(-) diff --git a/hosts/by-name/servo/net.nix b/hosts/by-name/servo/net.nix index 9e9d433a..67103081 100644 --- a/hosts/by-name/servo/net.nix +++ b/hosts/by-name/servo/net.nix @@ -6,6 +6,9 @@ sane.services.wan-ports.openFirewall = true; sane.services.wan-ports.openUpnp = true; + # view refused packets with: `sudo journalctl -k` + # networking.firewall.logRefusedPackets = true; + # The global useDHCP flag is deprecated, therefore explicitly set to false here. # Per-interface useDHCP will be mandatory in the future, so this generated config # replicates the default behaviour. @@ -153,9 +156,9 @@ # we also bridge DNS traffic ${in-ns} ${iptables} -A PREROUTING -t nat -p udp --dport 53 -m iprange --dst-range ${vpn-ip} \ - -j DNAT --to-destination ${veth-host-ip}:1053 + -j DNAT --to-destination ${veth-host-ip} ${in-ns} ${iptables} -A PREROUTING -t nat -p tcp --dport 53 -m iprange --dst-range ${vpn-ip} \ - -j DNAT --to-destination ${veth-host-ip}:1053 + -j DNAT --to-destination ${veth-host-ip} # in order to access DNS in this netns, we need to route it to the VPN's nameservers # - alternatively, we could fix DNS servers like 1.1.1.1. diff --git a/hosts/by-name/servo/services/trust-dns.nix b/hosts/by-name/servo/services/trust-dns.nix index d8592b14..aec5bb4b 100644 --- a/hosts/by-name/servo/services/trust-dns.nix +++ b/hosts/by-name/servo/services/trust-dns.nix @@ -78,9 +78,9 @@ > ${zone-lan} # launch the different interfaces, separately - ${pkgs.trust-dns}/bin/named --port 1053 --zonedir ${zone-dir}/wan/ $@ & + ${pkgs.trust-dns}/bin/named --port 53 --zonedir ${zone-dir}/wan/ $@ & WANPID=$! - ${pkgs.trust-dns}/bin/named --zonedir ${zone-dir}/lan/ $@ & + ${pkgs.trust-dns}/bin/named --port 1053 --zonedir ${zone-dir}/lan/ $@ & LANPID=$! # wait until any of the processes exits, then kill them all and exit error @@ -93,7 +93,22 @@ sane.services.dyn-dns.restartOnChange = [ "trust-dns.service" ]; - # for WAN visibility + networking.nat.enable = true; + networking.nat.extraCommands = '' + # redirect incoming DNS requests from LAN addresses + # to the LAN-specialized DNS service + # N.B.: use the `nixos-*` chains instead of e.g. PREROUTING + # because they get cleanly reset across activations or `systemctl restart firewall` + # instead of accumulating cruft + iptables -t nat -A nixos-nat-pre -p udp --dport 53 \ + -m iprange --src-range 10.78.76.0-10.78.79.255 \ + -j DNAT --to-destination :1053 + iptables -t nat -A nixos-nat-pre -p tcp --dport 53 \ + -m iprange --src-range 10.78.76.0-10.78.79.255 \ + -j DNAT --to-destination :1053 + ''; + + # because the NAT above redirects in PREROUTING, LAN requests behave as though they arrived on the external interface at the redirected port networking.firewall.allowedUDPPorts = [ 1053 ]; networking.firewall.allowedTCPPorts = [ 1053 ]; } diff --git a/modules/services/trust-dns.nix b/modules/services/trust-dns.nix index 64b0a7d3..c4e8395d 100644 --- a/modules/services/trust-dns.nix +++ b/modules/services/trust-dns.nix @@ -189,13 +189,8 @@ in config = mkIf cfg.enable { sane.services.trust-dns.generatedZones = mapAttrs (zone: zcfg: genZone zcfg) cfg.zones; - # TODO: we need the UPnP port to map WAN 53 -> LAN 1053 - # else we'll be giving LAN IPs to WAN requests. - # until then, manage forwards manually. - # sane.services.wan-ports.tcp = [ 53 ]; - # sane.services.wan-ports.udp = [ 53 ]; - networking.firewall.allowedUDPPorts = [ 53 ]; - networking.firewall.allowedTCPPorts = [ 53 ]; + sane.services.wan-ports.tcp = [ 53 ]; + sane.services.wan-ports.udp = [ 53 ]; systemd.services.trust-dns = { description = "trust-dns DNS server";