Replaced coredns with Bind.

This commit is contained in:
Joseph Hanson 2023-05-06 11:53:26 -05:00
parent ebb7a44f65
commit 786724ae8d
Signed by: jahanson
SSH key fingerprint: SHA256:vy6dKBECV522aPAwklFM3ReKAVB086rT3oWwiuiFG7o
12 changed files with 264 additions and 158 deletions

View file

@ -16,22 +16,37 @@ set container name cloudflare-ddns memory '0'
set container name cloudflare-ddns restart 'on-failure' set container name cloudflare-ddns restart 'on-failure'
set container name cloudflare-ddns shared-memory '0' set container name cloudflare-ddns shared-memory '0'
# coredns - main instance # # coredns - main instance
set container name coredns cap-add 'net-bind-service' # set container name coredns cap-add 'net-bind-service'
set container name coredns image 'docker.io/coredns/coredns:1.10.1' # set container name coredns image 'docker.io/coredns/coredns:1.10.1'
set container name coredns memory '0' # set container name coredns memory '0'
set container name coredns network services address '10.5.0.3' # set container name coredns network services address '10.5.0.3'
set container name coredns restart 'on-failure' # set container name coredns restart 'on-failure'
set container name coredns shared-memory '0' # set container name coredns shared-memory '0'
set container name coredns volume config destination '/config' # set container name coredns volume config destination '/config'
set container name coredns volume config source '/config/containers/coredns/config' # set container name coredns volume config source '/config/containers/coredns/config'
set container name coredns volume config mode 'ro' # set container name coredns volume config mode 'ro'
set container name coredns volume corefile destination '/Corefile' # set container name coredns volume corefile destination '/Corefile'
set container name coredns volume corefile source '/config/containers/coredns/config/Corefile' # set container name coredns volume corefile source '/config/containers/coredns/config/Corefile'
set container name coredns volume corefile mode 'ro' # set container name coredns volume corefile mode 'ro'
set container name coredns volume vyoshosts destination '/host/etc/hosts' # set container name coredns volume vyoshosts destination '/host/etc/hosts'
set container name coredns volume vyoshosts source '/etc/hosts' # set container name coredns volume vyoshosts source '/etc/hosts'
set container name coredns volume vyoshosts mode 'ro' # set container name coredns volume vyoshosts mode 'ro'
# bind
set container name bind cap-add 'net-bind-service'
set container name bind image 'docker.io/internetsystemsconsortium/bind9:9.19'
set container name bind command '/usr/sbin/named -4 -f -c /etc/bind/named.conf -u bind'
set container name bind memory '0'
set container name bind network services address '10.5.0.3'
set container name bind restart 'on-failure'
set container name bind shared-memory '0'
set container name bind volume config source '/config/containers/bind/config'
set container name bind volume config destination '/etc/bind'
set container name bind volume config mode 'ro'
set container name bind volume cache source '/tmp/bind/cache'
set container name bind volume cache destination '/var/cache/bind'
set container name bind volume cache mode 'rw'
# dnsdist # dnsdist
set container name dnsdist cap-add 'net-bind-service' set container name dnsdist cap-add 'net-bind-service'
@ -41,8 +56,8 @@ set container name dnsdist memory '0'
set container name dnsdist network services address '10.5.0.4' set container name dnsdist network services address '10.5.0.4'
set container name dnsdist restart 'on-failure' set container name dnsdist restart 'on-failure'
set container name dnsdist shared-memory '0' set container name dnsdist shared-memory '0'
set container name dnsdist volume config destination '/etc/dnsdist/dnsdist.conf'
set container name dnsdist volume config source '/config/containers/dnsdist/config/dnsdist.conf' set container name dnsdist volume config source '/config/containers/dnsdist/config/dnsdist.conf'
set container name dnsdist volume config destination '/etc/dnsdist/dnsdist.conf'
set container name dnsdist volume config mode 'ro' set container name dnsdist volume config mode 'ro'
# haproxy-k8s-api # haproxy-k8s-api
@ -51,8 +66,8 @@ set container name haproxy-k8s-api memory '0'
set container name haproxy-k8s-api network services address '10.5.0.2' set container name haproxy-k8s-api network services address '10.5.0.2'
set container name haproxy-k8s-api restart 'on-failure' set container name haproxy-k8s-api restart 'on-failure'
set container name haproxy-k8s-api shared-memory '0' set container name haproxy-k8s-api shared-memory '0'
set container name haproxy-k8s-api volume config destination '/usr/local/etc/haproxy/haproxy.cfg'
set container name haproxy-k8s-api volume config source '/config/containers/haproxy/config/haproxy.cfg' set container name haproxy-k8s-api volume config source '/config/containers/haproxy/config/haproxy.cfg'
set container name haproxy-k8s-api volume config destination '/usr/local/etc/haproxy/haproxy.cfg'
set container name haproxy-k8s-api volume config mode 'ro' set container name haproxy-k8s-api volume config mode 'ro'
# node-exporter # node-exporter
@ -64,15 +79,15 @@ set container name node-exporter memory '0'
set container name node-exporter network services address '10.5.0.7' set container name node-exporter network services address '10.5.0.7'
set container name node-exporter restart 'on-failure' set container name node-exporter restart 'on-failure'
set container name node-exporter shared-memory '0' set container name node-exporter shared-memory '0'
set container name node-exporter volume procfs source '/proc'
set container name node-exporter volume procfs destination '/host/proc' set container name node-exporter volume procfs destination '/host/proc'
set container name node-exporter volume procfs mode 'ro' set container name node-exporter volume procfs mode 'ro'
set container name node-exporter volume procfs source '/proc' set container name node-exporter volume rootfs source '/'
set container name node-exporter volume rootfs destination '/host/rootfs' set container name node-exporter volume rootfs destination '/host/rootfs'
set container name node-exporter volume rootfs mode 'ro' set container name node-exporter volume rootfs mode 'ro'
set container name node-exporter volume rootfs source '/' set container name node-exporter volume sysfs source '/sys'
set container name node-exporter volume sysfs destination '/host/sys' set container name node-exporter volume sysfs destination '/host/sys'
set container name node-exporter volume sysfs mode 'ro' set container name node-exporter volume sysfs mode 'ro'
set container name node-exporter volume sysfs source '/sys'
# speedtest-exporter # speedtest-exporter
set container name speedtest-exporter image 'ghcr.io/miguelndecarvalho/speedtest-exporter:v3.5.3' set container name speedtest-exporter image 'ghcr.io/miguelndecarvalho/speedtest-exporter:v3.5.3'
@ -118,8 +133,9 @@ set container name unifi memory '0'
set container name unifi network services address '10.5.0.10' set container name unifi network services address '10.5.0.10'
set container name unifi restart 'on-failure' set container name unifi restart 'on-failure'
set container name unifi shared-memory '0' set container name unifi shared-memory '0'
set container name unifi volume data destination '/unifi'
set container name unifi volume data source '/config/containers/unifi' set container name unifi volume data source '/config/containers/unifi'
set container name unifi volume data destination '/unifi'
set container name unifi volume data mode 'rw'
# onepassword-connect # onepassword-connect
set container name onepassword-connect image 'docker.io/1password/connect-api:1.7.0' set container name onepassword-connect image 'docker.io/1password/connect-api:1.7.0'

View file

@ -1,8 +1,5 @@
#!/bin/vbash #!/bin/vbash
set service dhcp-server hostfile-update
set service dhcp-server host-decl-name
# Guest VLAN # Guest VLAN
set service dhcp-server shared-network-name GUEST authoritative set service dhcp-server shared-network-name GUEST authoritative
set service dhcp-server shared-network-name GUEST ping-check set service dhcp-server shared-network-name GUEST ping-check

View file

@ -1,40 +0,0 @@
# Gateway
set system static-host-mapping host-name gateway.jahanson.tech inet 10.1.0.1
set system static-host-mapping host-name gateway.jahanson.tech alias vpn.hsn.dev
set system static-host-mapping host-name gateway.jahanson.tech alias ipv4.hsn.dev
# Unifi controller
set system static-host-mapping host-name unifi inet 10.5.0.10
# 1Password Connect
set system static-host-mapping host-name onepassword-connect.hsn.dev inet 10.5.0.5
# NAS
set system static-host-mapping host-name elessar.jahanson.tech inet 10.1.1.11
set system static-host-mapping host-name elessar.jahanson.tech alias nas.jahanson.tech
set system static-host-mapping host-name elessar.jahanson.tech alias minio.hsn.dev
set system static-host-mapping host-name elessar.jahanson.tech alias s3.hsn.dev
# Home Assistant
set system static-host-mapping host-name homeassistant.jahanson.tech inet 10.1.1.13
# Kubernetes hosts
set system static-host-mapping host-name gandalf.jahanson.tech inet 10.1.1.31
set system static-host-mapping host-name glamdring.jahanson.tech inet 10.1.1.32
set system static-host-mapping host-name shadowfax.jahanson.tech inet 10.1.1.33
# Kubernetes cluster VIP
set system static-host-mapping host-name cluster-0.jahanson.tech inet 10.5.0.2
# Other hosts
set system static-host-mapping host-name sting.jahanson.tech inet 10.1.1.12
set system static-host-mapping host-name frodo.jahanson.tech inet 10.1.1.52
set system static-host-mapping host-name frodo.jahanson.tech alias pikvm.jahanson.tech
set system static-host-mapping host-name nextcloud.jahanson.tech inet 10.1.1.51
set system static-host-mapping host-name driveway-camera-doorbell.jahanson.tech inet 10.1.4.12
set system static-host-mapping host-name hallway-zigbee-adapter.jahanson.tech inet 10.1.3.46
set system static-host-mapping host-name garage-tablet.jahanson.tech inet 10.1.3.54
set system static-host-mapping host-name hallway-tablet.jahanson.tech inet 10.1.3.53
set system static-host-mapping host-name livingroom-vacuum.jahanson.tech inet 10.1.3.18
set system static-host-mapping host-name upstairs-vacuum.jahanson.tech inet 10.1.3.22

View file

@ -4,7 +4,7 @@
# Track certain files and directories # Track certain files and directories
!.gitignore !.gitignore
!/coredns/ !/bind/
!/dnsdist/ !/dnsdist/
!/haproxy/ !/haproxy/
!/unifi/ !/unifi/

View file

@ -6,9 +6,8 @@
!/config/ !/config/
/config/* /config/*
!/config/Corefile
!/config/custom-hosts
!/config-vyos/ !/config/named.conf
/config-vyos/* !/config/zones/
!/config-vyos/Corefile /config/zones/*
!/config/zones/db.*

View file

@ -0,0 +1,73 @@
# Only define the known VLAN subnets as trusted
acl "trusted" {
10.1.0.0/24; # LAN
10.1.1.0/24; # SERVERS
10.1.2.0/24; # TRUSTED
10.1.3.0/24; # IOT
10.1.4.0/24; # VIDEO
192.168.2.0/24; # GUEST
10.0.11.0/24; # WIREGUARD
10.5.0.0/24; # SERVICES
};
options {
directory "/var/cache/bind";
listen-on { 127.0.0.1; 10.5.0.3; };
allow-recursion {
trusted;
};
allow-transfer {
none;
};
allow-update {
none;
};
};
logging {
channel stdout {
stderr;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category security { stdout; };
category dnssec { stdout; };
category default { stdout; };
};
include "/etc/bind/rndc.key";
include "/etc/bind/externaldns.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};
zone "unifi." {
type master;
file "/etc/bind/zones/db.unifi";
};
zone "jahanson.tech." {
type master;
file "/etc/bind/zones/db.jahanson.tech";
};
zone "hsn.dev." {
type master;
file "/etc/bind/zones/db.hsn.dev";
journal "/var/cache/bind/db.hsn.dev.jnl";
allow-transfer {
key "externaldns";
};
update-policy {
grant externaldns zonesub ANY;
};
};
zone "1.10.in-addr.arpa." {
type master;
file "/etc/bind/zones/db.1.10.in-addr.arpa";
};

View file

@ -0,0 +1,36 @@
; Make sure to update the epoch time in the SOA records so coreDNS picks up the changes automatically
; https://www.epochconverter.com/
; SOA Records
$TTL 3600
$ORIGIN 1.10.in-addr.arpa.
@ 3600 IN SOA gateway.jahanson.tech. gateway.jahanson.tech. (
1683235219 ; serial number (epoch timestamp)
7200 ; refresh period
3600 ; retry period
1209600 ; expire time
3600 ; minimum ttl
)
; NS Records
@ IN NS gateway.jahanson.tech.
; Reset origin
$ORIGIN in-addr.arpa.
; LAN
1.0.1.10 IN PTR gateway.jahanson.tech.
; Servers
11.1.1.10 IN PTR elessar.jahanson.tech.
31.1.1.10 IN PTR gandalf.jahanson.tech.
32.1.1.10 IN PTR glamdring.jahanson.tech.
33.1.1.10 IN PTR shadowfax.jahanson.tech.
51.1.1.10 IN PTR nextcloud.jahanson.tech.
52.1.1.10 IN PTR frodo.jahanson.tech.
; IOT
18.3.1.10 IN PTR livingroom-vacuum.jahanson.tech.
; Video
12.4.1.10 IN PTR driveway-camera.jahanson.tech.

View file

@ -0,0 +1,23 @@
; Make sure to update the epoch time in the SOA records so coreDNS picks up the changes automatically
; https://www.epochconverter.com/
; SOA Records
$TTL 3600
$ORIGIN hsn.dev.
@ 3600 IN SOA gateway.jahanson.tech. gateway.jahanson.tech. (
1683235219 ; serial number (epoch timestamp)
7200 ; refresh period
3600 ; retry period
1209600 ; expire time
3600 ; minimum ttl
)
; NS Records
@ IN NS gateway.jahanson.tech.
; Services
onepassword-connect IN A 10.5.0.5
; CNAME Records
s3 IN CNAME nas.jahanson.tech.
vpn IN CNAME gateway.jahanson.tech.

View file

@ -0,0 +1,41 @@
; Make sure to update the epoch time in the SOA records so coreDNS picks up the changes automatically
; https://www.epochconverter.com/
; SOA Records
$TTL 3600
$ORIGIN jahanson.tech.
@ 3600 IN SOA gateway.jahanson.tech. gateway.jahanson.tech. (
1683235219 ; serial number (epoch timestamp)
7200 ; refresh period
3600 ; retry period
1209600 ; expire time
3600 ; minimum ttl
)
; NS Records
@ IN NS gateway.jahanson.tech.
; LAN
gateway IN A 10.1.0.1
; Servers
elessar IN A 10.1.1.11
gandalf IN A 10.1.1.31
glamdring IN A 10.1.1.32
shadowfax IN A 10.1.1.33
nextcloud IN A 10.1.1.51
frodo IN A 10.1.1.52
; IOT
livingroom-vacuum IN A 10.1.3.18
; Video
driveway-camera l IN A 10.1.4.12
; Services
cluster-0 IN A 10.5.0.2
; CNAME records
nas IN CNAME elessar.jahanson.tech.
pikvm IN CNAME frodo.jahanson.tech.
s3 IN CNAME gateway.jahanson.tech.

View file

@ -0,0 +1,19 @@
; Make sure to update the epoch time in the SOA records so coreDNS picks up the changes automatically
; https://www.epochconverter.com/
; SOA Records
$TTL 3600
$ORIGIN unifi.
@ 3600 IN SOA gateway.jahanson.tech. gateway.jahanson.tech. (
1683235219 ; serial number (epoch timestamp)
7200 ; refresh period
3600 ; retry period
1209600 ; expire time
3600 ; minimum ttl
)
; NS Records
@ IN NS gateway.jahanson.tech.
; CNAME Records
@ IN A 10.5.0.10

View file

@ -1,60 +0,0 @@
(common) {
errors
log error
reload
loadbalance
cache
loop
local
prometheus :9153
health {
lameduck 5s
}
}
(k8s_gateway) {
forward . 10.45.0.3:53
}
unifi {
import common
hosts /host/etc/hosts {
ttl 1
reload 5s
}
}
# Hack to prevent the gatway returning 127.0.0.1 from /etc/hosts
gateway.jahanson.tech {
import common
template IN A gateway.jahanson.tech {
answer "{{ .Name }} 60 IN A 10.1.0.1"
}
}
hsn.dev {
import common
hosts /host/etc/hosts {
ttl 1
reload 5s
fallthrough
}
import k8s_gateway
}
jahanson.tech {
import common
hosts /host/etc/hosts {
ttl 1
reload 5s
}
}
1.10.in-addr.arpa {
hosts /host/etc/hosts {
ttl 1
reload 5s
}
}

View file

@ -1,46 +1,47 @@
-- udp/tcp dns listening -- udp/tcp dns listening
setLocal("0.0.0.0:53", {}) setLocal("0.0.0.0:53", {})
-- Local CoreDNS -- Local Bind
newServer({ newServer({
address = "10.5.0.3", address = "10.5.0.3",
pool = "coredns" pool = "bind",
checkName = "gateway.jahanson.tech"
}) })
-- ControlD - Servers -- NextDNS - Servers
newServer({ newServer({
address = "76.76.2.22:443", address = "188.172.251.1:443",
tls = "openssl", tls = "openssl",
subjectName = "dns.controld.com", subjectName = "8d3cd7.dns.nextdns.io",
dohPath = "/14pk0z49y0u", dohPath = "/8d3cd7",
validateCertificates = true, validateCertificates = true,
checkInterval = 10, checkInterval = 10,
checkTimeout = 2000, checkTimeout = 2000,
pool = "controld_servers" pool = "nextdns_servers"
}) })
-- ControlD - Trusted -- NextDNS - Trusted
newServer({ newServer({
address = "76.76.2.22:443", address = "188.172.251.1:443",
tls = "openssl", tls = "openssl",
subjectName = "dns.controld.com", subjectName = "d79ecb.dns.nextdns.io",
dohPath = "/7l9xgidtyr", dohPath = "/d79ecb",
validateCertificates = true, validateCertificates = true,
checkInterval = 10, checkInterval = 10,
checkTimeout = 2000, checkTimeout = 2000,
pool = "controld_trusted" pool = "nextdns_trusted"
}) })
-- ControlD - IoT -- NextDNS - IoT
newServer({ newServer({
address = "76.76.2.22:443", address = "188.172.251.1:443",
tls = "openssl", tls = "openssl",
subjectName = "dns.controld.com", subjectName = "e29a3c.dns.nextdns.io",
dohPath = "/227g88d4fp5", dohPath = "/e29a3c",
validateCertificates = true, validateCertificates = true,
checkInterval = 10, checkInterval = 10,
checkTimeout = 2000, checkTimeout = 2000,
pool = "controld_iot" pool = "nextdns_iot"
}) })
-- CloudFlare DNS over TLS -- CloudFlare DNS over TLS
@ -78,14 +79,15 @@ getPool(""):setCache(pc)
-- addResponseAction(AllRule(), LogResponseAction("", false, true, false, false)) -- addResponseAction(AllRule(), LogResponseAction("", false, true, false, false))
-- Routing rules -- Routing rules
addAction('unifi', PoolAction('coredns'))
addAction('hsn.dev', PoolAction('coredns'))
addAction('jahanson.tech', PoolAction('coredns'))
addAction('1.10.in-addr.arpa', PoolAction('coredns'))
addAction("10.1.0.0/24", PoolAction("controld_servers")) -- lan
addAction("10.1.1.0/24", PoolAction("controld_servers")) -- servers vlan
addAction("10.1.2.0/24", PoolAction("controld_trusted")) -- trusted vlan
addAction("10.1.3.0/24", PoolAction("controld_iot")) -- iot vlan
addAction("10.0.11.0/24", PoolAction("controld_trusted")) -- wg_trusted vlan
addAction("192.168.2.0/24", PoolAction("cloudflare")) -- guest vlan addAction("192.168.2.0/24", PoolAction("cloudflare")) -- guest vlan
addAction("192.168.2.0/24", DropAction()) -- stop processing
addAction('unifi', PoolAction('bind'))
addAction('hsn.dev', PoolAction('bind'))
addAction('jahanson.tech', PoolAction('bind'))
addAction('1.10.in-addr.arpa', PoolAction('bind'))
addAction("10.1.0.0/24", PoolAction("nextdns_servers")) -- lan
addAction("10.1.1.0/24", PoolAction("nextdns_servers")) -- servers vlan
addAction("10.1.2.0/24", PoolAction("nextdns_trusted")) -- trusted vlan
addAction("10.1.3.0/24", PoolAction("nextdns_iot")) -- iot vlan
addAction("10.0.11.0/24", PoolAction("nextdns_trusted")) -- wg_trusted vlan