fix trust-dns to resolve when invoked from VPN
This commit is contained in:
parent
00d831e755
commit
6d7ff7ea86
|
@ -1,7 +1,9 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
bindForOvpn = "10.0.1.5";
|
bindLan = config.sane.hosts.by-name."servo".lan-ip;
|
||||||
|
bindHn = config.sane.hosts.by-name."servo".wg-home.ip;
|
||||||
|
bindOvpn = "10.0.1.5";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services.trust-dns.enable = true;
|
services.trust-dns.enable = true;
|
||||||
|
@ -75,13 +77,37 @@ in
|
||||||
zone-lan = "${zone-dir}/lan/uninsane.org.zone";
|
zone-lan = "${zone-dir}/lan/uninsane.org.zone";
|
||||||
zone-hn = "${zone-dir}/hn/uninsane.org.zone";
|
zone-hn = "${zone-dir}/hn/uninsane.org.zone";
|
||||||
zone-template = pkgs.writeText "uninsane.org.zone.in" config.sane.dns.zones."uninsane.org".rendered;
|
zone-template = pkgs.writeText "uninsane.org.zone.in" config.sane.dns.zones."uninsane.org".rendered;
|
||||||
extra-config-hn = pkgs.writeText "hn-config.toml" ''
|
hn-resolver-config = pkgs.writeText "hn-resolver-config.toml" ''
|
||||||
|
# i host a resolver in the wireguard VPN so that clients can resolve DNS through the VPN.
|
||||||
|
# (that's what this file achieves).
|
||||||
|
#
|
||||||
|
# one would expect this resolver could host the authoritative zone for `uninsane.org`, and then forward everything else to the system resolver...
|
||||||
|
# and while that works for `dig`, it breaks for `nslookup` (and so `ssh`, etc).
|
||||||
|
#
|
||||||
|
# DNS responses include a flag for if the responding server is the authority of the zone queried.
|
||||||
|
# it seems that default Linux stub resolvers either:
|
||||||
|
# - expect DNSSEC when the response includes that bit, or
|
||||||
|
# - expect A records to be in the `answer` section instead of `additional` section.
|
||||||
|
# or perhaps something more nuanced. but for `nslookup` to be reliable, it has to talk to an
|
||||||
|
# instance of trust-dns which is strictly a resolver, with no authority.
|
||||||
|
# hence, this config: a resolver which forwards to the actual authority.
|
||||||
|
|
||||||
|
listen_addrs_ipv4 = ["${bindHn}"]
|
||||||
|
listen_addrs_ipv6 = []
|
||||||
|
|
||||||
|
[[zones]]
|
||||||
|
zone = "uninsane.org"
|
||||||
|
zone_type = "Forward"
|
||||||
|
stores = { type = "forward", name_servers = [{ socket_addr = "${bindHn}:1053", protocol = "udp", trust_nx_responses = true }] }
|
||||||
|
|
||||||
[[zones]]
|
[[zones]]
|
||||||
# forward the root zone to the local DNS resolver
|
# forward the root zone to the local DNS resolver
|
||||||
zone = "."
|
zone = "."
|
||||||
zone_type = "Forward"
|
zone_type = "Forward"
|
||||||
stores = { type = "forward", name_servers = [{ socket_addr = "127.0.0.53:53", protocol = "udp", trust_nx_responses = true }] }
|
stores = { type = "forward", name_servers = [{ socket_addr = "127.0.0.53:53", protocol = "udp", trust_nx_responses = true }] }
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
# TODO: rework this shell script to be independent systemd services per trust-dns instance.
|
||||||
in pkgs.writeShellScriptBin "trust-dns" ''
|
in pkgs.writeShellScriptBin "trust-dns" ''
|
||||||
# intercept args meant for the real trust-dns, so i can modify them
|
# intercept args meant for the real trust-dns, so i can modify them
|
||||||
_arg__config="$1" # --config
|
_arg__config="$1" # --config
|
||||||
|
@ -92,9 +118,9 @@ in
|
||||||
# compute IP address of self for each interface
|
# compute IP address of self for each interface
|
||||||
mkdir -p ${zone-dir}/{wan,lan,hn}
|
mkdir -p ${zone-dir}/{wan,lan,hn}
|
||||||
wan=$(cat '${config.sane.services.dyn-dns.ipPath}')
|
wan=$(cat '${config.sane.services.dyn-dns.ipPath}')
|
||||||
lan=${config.sane.hosts.by-name."servo".lan-ip}
|
lan=${bindLan}
|
||||||
hn=${config.sane.hosts.by-name."servo".wg-home.ip}
|
hn=${bindHn}
|
||||||
lanAndOvpn='${config.sane.hosts.by-name."servo".lan-ip}", "${bindForOvpn}'
|
lanAndOvpn='${bindLan}", "${bindOvpn}'
|
||||||
|
|
||||||
# create specializations that resolve native.uninsane.org to different CNAMEs
|
# create specializations that resolve native.uninsane.org to different CNAMEs
|
||||||
${sed} \
|
${sed} \
|
||||||
|
@ -110,6 +136,7 @@ in
|
||||||
-e s/%CNAMENATIVE%/servo.lan/ \
|
-e s/%CNAMENATIVE%/servo.lan/ \
|
||||||
-e s/%ANATIVE%/$lan/ \
|
-e s/%ANATIVE%/$lan/ \
|
||||||
${zone-template} > ${zone-lan}
|
${zone-template} > ${zone-lan}
|
||||||
|
# to service LAN, listen only on the LAN
|
||||||
sed s/%LISTEN%/$lan/ $orig_config > ${zone-dir}/lan-config.toml
|
sed s/%LISTEN%/$lan/ $orig_config > ${zone-dir}/lan-config.toml
|
||||||
|
|
||||||
${sed} \
|
${sed} \
|
||||||
|
@ -117,8 +144,8 @@ in
|
||||||
-e s/%CNAMENATIVE%/servo.hn/ \
|
-e s/%CNAMENATIVE%/servo.hn/ \
|
||||||
-e s/%ANATIVE%/$hn/ \
|
-e s/%ANATIVE%/$hn/ \
|
||||||
${zone-template} > ${zone-hn}
|
${zone-template} > ${zone-hn}
|
||||||
cat "$orig_config" "${extra-config-hn}" \
|
# to service wireguard, listen only on hn
|
||||||
| ${sed} s/%LISTEN%/$hn/ > "${zone-dir}/hn-config.toml"
|
sed s/%LISTEN%/$hn/ $orig_config > ${zone-dir}/hn-config.toml
|
||||||
|
|
||||||
# launch the different interfaces, separately
|
# launch the different interfaces, separately
|
||||||
${pkgs.trust-dns}/bin/trust-dns \
|
${pkgs.trust-dns}/bin/trust-dns \
|
||||||
|
@ -131,16 +158,22 @@ in
|
||||||
"$@" &
|
"$@" &
|
||||||
LANPID=$!
|
LANPID=$!
|
||||||
|
|
||||||
|
ln -sf ${hn-resolver-config} ${zone-dir}/hn-resolver-config.toml
|
||||||
${pkgs.trust-dns}/bin/trust-dns \
|
${pkgs.trust-dns}/bin/trust-dns \
|
||||||
|
--config "${zone-dir}/hn-resolver-config.toml" \
|
||||||
|
"$@" &
|
||||||
|
HNRESOLVERPID=$!
|
||||||
|
|
||||||
|
${pkgs.trust-dns}/bin/trust-dns --port 1053 \
|
||||||
--zonedir "${zone-dir}/hn/" --config "${zone-dir}/hn-config.toml" \
|
--zonedir "${zone-dir}/hn/" --config "${zone-dir}/hn-config.toml" \
|
||||||
"$@" &
|
"$@" &
|
||||||
HNPID=$!
|
HNPID=$!
|
||||||
|
|
||||||
# wait until any of the processes exits, then kill them all and exit error
|
# wait until any of the processes exits, then kill them all and exit error
|
||||||
while kill -0 $WANPID $LANPID $HNPID; do
|
while kill -0 $WANPID $LANPID $HNRESOLVERPID $HNPID; do
|
||||||
sleep 5
|
sleep 5
|
||||||
done
|
done
|
||||||
kill $WANPID $LANPID $HNPID
|
kill $WANPID $LANPID $HNRESOLVERPID $HNPID
|
||||||
exit 1
|
exit 1
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user