dns: rework so that we branch to the LAN v.s. WAN results based on source IP of the query -- not interface.
this simplifies the UPnP forwards and the OVPN routing
This commit is contained in:
parent
4dc5378b3e
commit
5cc7ced859
|
@ -6,6 +6,9 @@
|
||||||
sane.services.wan-ports.openFirewall = true;
|
sane.services.wan-ports.openFirewall = true;
|
||||||
sane.services.wan-ports.openUpnp = true;
|
sane.services.wan-ports.openUpnp = true;
|
||||||
|
|
||||||
|
# view refused packets with: `sudo journalctl -k`
|
||||||
|
# networking.firewall.logRefusedPackets = true;
|
||||||
|
|
||||||
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
|
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
|
||||||
# Per-interface useDHCP will be mandatory in the future, so this generated config
|
# Per-interface useDHCP will be mandatory in the future, so this generated config
|
||||||
# replicates the default behaviour.
|
# replicates the default behaviour.
|
||||||
|
@ -153,9 +156,9 @@
|
||||||
|
|
||||||
# we also bridge DNS traffic
|
# we also bridge DNS traffic
|
||||||
${in-ns} ${iptables} -A PREROUTING -t nat -p udp --dport 53 -m iprange --dst-range ${vpn-ip} \
|
${in-ns} ${iptables} -A PREROUTING -t nat -p udp --dport 53 -m iprange --dst-range ${vpn-ip} \
|
||||||
-j DNAT --to-destination ${veth-host-ip}:1053
|
-j DNAT --to-destination ${veth-host-ip}
|
||||||
${in-ns} ${iptables} -A PREROUTING -t nat -p tcp --dport 53 -m iprange --dst-range ${vpn-ip} \
|
${in-ns} ${iptables} -A PREROUTING -t nat -p tcp --dport 53 -m iprange --dst-range ${vpn-ip} \
|
||||||
-j DNAT --to-destination ${veth-host-ip}:1053
|
-j DNAT --to-destination ${veth-host-ip}
|
||||||
|
|
||||||
# in order to access DNS in this netns, we need to route it to the VPN's nameservers
|
# in order to access DNS in this netns, we need to route it to the VPN's nameservers
|
||||||
# - alternatively, we could fix DNS servers like 1.1.1.1.
|
# - alternatively, we could fix DNS servers like 1.1.1.1.
|
||||||
|
|
|
@ -78,9 +78,9 @@
|
||||||
> ${zone-lan}
|
> ${zone-lan}
|
||||||
|
|
||||||
# launch the different interfaces, separately
|
# launch the different interfaces, separately
|
||||||
${pkgs.trust-dns}/bin/named --port 1053 --zonedir ${zone-dir}/wan/ $@ &
|
${pkgs.trust-dns}/bin/named --port 53 --zonedir ${zone-dir}/wan/ $@ &
|
||||||
WANPID=$!
|
WANPID=$!
|
||||||
${pkgs.trust-dns}/bin/named --zonedir ${zone-dir}/lan/ $@ &
|
${pkgs.trust-dns}/bin/named --port 1053 --zonedir ${zone-dir}/lan/ $@ &
|
||||||
LANPID=$!
|
LANPID=$!
|
||||||
|
|
||||||
# wait until any of the processes exits, then kill them all and exit error
|
# wait until any of the processes exits, then kill them all and exit error
|
||||||
|
@ -93,7 +93,22 @@
|
||||||
|
|
||||||
sane.services.dyn-dns.restartOnChange = [ "trust-dns.service" ];
|
sane.services.dyn-dns.restartOnChange = [ "trust-dns.service" ];
|
||||||
|
|
||||||
# for WAN visibility
|
networking.nat.enable = true;
|
||||||
|
networking.nat.extraCommands = ''
|
||||||
|
# redirect incoming DNS requests from LAN addresses
|
||||||
|
# to the LAN-specialized DNS service
|
||||||
|
# N.B.: use the `nixos-*` chains instead of e.g. PREROUTING
|
||||||
|
# because they get cleanly reset across activations or `systemctl restart firewall`
|
||||||
|
# instead of accumulating cruft
|
||||||
|
iptables -t nat -A nixos-nat-pre -p udp --dport 53 \
|
||||||
|
-m iprange --src-range 10.78.76.0-10.78.79.255 \
|
||||||
|
-j DNAT --to-destination :1053
|
||||||
|
iptables -t nat -A nixos-nat-pre -p tcp --dport 53 \
|
||||||
|
-m iprange --src-range 10.78.76.0-10.78.79.255 \
|
||||||
|
-j DNAT --to-destination :1053
|
||||||
|
'';
|
||||||
|
|
||||||
|
# because the NAT above redirects in PREROUTING, LAN requests behave as though they arrived on the external interface at the redirected port
|
||||||
networking.firewall.allowedUDPPorts = [ 1053 ];
|
networking.firewall.allowedUDPPorts = [ 1053 ];
|
||||||
networking.firewall.allowedTCPPorts = [ 1053 ];
|
networking.firewall.allowedTCPPorts = [ 1053 ];
|
||||||
}
|
}
|
||||||
|
|
|
@ -189,13 +189,8 @@ in
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
sane.services.trust-dns.generatedZones = mapAttrs (zone: zcfg: genZone zcfg) cfg.zones;
|
sane.services.trust-dns.generatedZones = mapAttrs (zone: zcfg: genZone zcfg) cfg.zones;
|
||||||
|
|
||||||
# TODO: we need the UPnP port to map WAN 53 -> LAN 1053
|
sane.services.wan-ports.tcp = [ 53 ];
|
||||||
# else we'll be giving LAN IPs to WAN requests.
|
sane.services.wan-ports.udp = [ 53 ];
|
||||||
# until then, manage forwards manually.
|
|
||||||
# sane.services.wan-ports.tcp = [ 53 ];
|
|
||||||
# sane.services.wan-ports.udp = [ 53 ];
|
|
||||||
networking.firewall.allowedUDPPorts = [ 53 ];
|
|
||||||
networking.firewall.allowedTCPPorts = [ 53 ];
|
|
||||||
|
|
||||||
systemd.services.trust-dns = {
|
systemd.services.trust-dns = {
|
||||||
description = "trust-dns DNS server";
|
description = "trust-dns DNS server";
|
||||||
|
|
Loading…
Reference in New Issue
Block a user