Replaced coredns with Bind.

config-parts/container.sh

@@ -16,22 +16,37 @@ set container name cloudflare-ddns memory '0'
 set container name cloudflare-ddns restart 'on-failure'
 set container name cloudflare-ddns shared-memory '0'
 
-# coredns - main instance
+# # coredns - main instance
-set container name coredns cap-add 'net-bind-service'
+# set container name coredns cap-add 'net-bind-service'
-set container name coredns image 'docker.io/coredns/coredns:1.10.1'
+# set container name coredns image 'docker.io/coredns/coredns:1.10.1'
-set container name coredns memory '0'
+# set container name coredns memory '0'
-set container name coredns network services address '10.5.0.3'
+# set container name coredns network services address '10.5.0.3'
-set container name coredns restart 'on-failure'
+# set container name coredns restart 'on-failure'
-set container name coredns shared-memory '0'
+# set container name coredns shared-memory '0'
-set container name coredns volume config destination '/config'
+# set container name coredns volume config destination '/config'
-set container name coredns volume config source '/config/containers/coredns/config'
+# set container name coredns volume config source '/config/containers/coredns/config'
-set container name coredns volume config mode 'ro'
+# set container name coredns volume config mode 'ro'
-set container name coredns volume corefile destination '/Corefile'
+# set container name coredns volume corefile destination '/Corefile'
-set container name coredns volume corefile source '/config/containers/coredns/config/Corefile'
+# set container name coredns volume corefile source '/config/containers/coredns/config/Corefile'
-set container name coredns volume corefile mode 'ro'
+# set container name coredns volume corefile mode 'ro'
-set container name coredns volume vyoshosts destination '/host/etc/hosts'
+# set container name coredns volume vyoshosts destination '/host/etc/hosts'
-set container name coredns volume vyoshosts source '/etc/hosts'
+# set container name coredns volume vyoshosts source '/etc/hosts'
-set container name coredns volume vyoshosts mode 'ro'
+# set container name coredns volume vyoshosts mode 'ro'
+
+# bind
+set container name bind cap-add 'net-bind-service'
+set container name bind image 'docker.io/internetsystemsconsortium/bind9:9.19'
+set container name bind command '/usr/sbin/named -4 -f -c /etc/bind/named.conf -u bind'
+set container name bind memory '0'
+set container name bind network services address '10.5.0.3'
+set container name bind restart 'on-failure'
+set container name bind shared-memory '0'
+set container name bind volume config source '/config/containers/bind/config'
+set container name bind volume config destination '/etc/bind'
+set container name bind volume config mode 'ro'
+set container name bind volume cache source '/tmp/bind/cache'
+set container name bind volume cache destination '/var/cache/bind'
+set container name bind volume cache mode 'rw'
 
 # dnsdist
 set container name dnsdist cap-add 'net-bind-service'
@@ -41,8 +56,8 @@ set container name dnsdist memory '0'
 set container name dnsdist network services address '10.5.0.4'
 set container name dnsdist restart 'on-failure'
 set container name dnsdist shared-memory '0'
-set container name dnsdist volume config destination '/etc/dnsdist/dnsdist.conf'
 set container name dnsdist volume config source '/config/containers/dnsdist/config/dnsdist.conf'
+set container name dnsdist volume config destination '/etc/dnsdist/dnsdist.conf'
 set container name dnsdist volume config mode 'ro'
 
 # haproxy-k8s-api
@@ -51,8 +66,8 @@ set container name haproxy-k8s-api memory '0'
 set container name haproxy-k8s-api network services address '10.5.0.2'
 set container name haproxy-k8s-api restart 'on-failure'
 set container name haproxy-k8s-api shared-memory '0'
-set container name haproxy-k8s-api volume config destination '/usr/local/etc/haproxy/haproxy.cfg'
 set container name haproxy-k8s-api volume config source '/config/containers/haproxy/config/haproxy.cfg'
+set container name haproxy-k8s-api volume config destination '/usr/local/etc/haproxy/haproxy.cfg'
 set container name haproxy-k8s-api volume config mode 'ro'
 
 # node-exporter
@@ -64,15 +79,15 @@ set container name node-exporter memory '0'
 set container name node-exporter network services address '10.5.0.7'
 set container name node-exporter restart 'on-failure'
 set container name node-exporter shared-memory '0'
+set container name node-exporter volume procfs source '/proc'
 set container name node-exporter volume procfs destination '/host/proc'
 set container name node-exporter volume procfs mode 'ro'
-set container name node-exporter volume procfs source '/proc'
+set container name node-exporter volume rootfs source '/'
 set container name node-exporter volume rootfs destination '/host/rootfs'
 set container name node-exporter volume rootfs mode 'ro'
-set container name node-exporter volume rootfs source '/'
+set container name node-exporter volume sysfs source '/sys'
 set container name node-exporter volume sysfs destination '/host/sys'
 set container name node-exporter volume sysfs mode 'ro'
-set container name node-exporter volume sysfs source '/sys'
 
 # speedtest-exporter
 set container name speedtest-exporter image 'ghcr.io/miguelndecarvalho/speedtest-exporter:v3.5.3'
@@ -118,8 +133,9 @@ set container name unifi memory '0'
 set container name unifi network services address '10.5.0.10'
 set container name unifi restart 'on-failure'
 set container name unifi shared-memory '0'
-set container name unifi volume data destination '/unifi'
 set container name unifi volume data source '/config/containers/unifi'
+set container name unifi volume data destination '/unifi'
+set container name unifi volume data mode 'rw'
 
 # onepassword-connect
 set container name onepassword-connect image 'docker.io/1password/connect-api:1.7.0'

config-parts/service-dhcp_server.sh

@@ -1,8 +1,5 @@
 #!/bin/vbash
 
-set service dhcp-server hostfile-update
-set service dhcp-server host-decl-name
-
 # Guest VLAN
 set service dhcp-server shared-network-name GUEST authoritative
 set service dhcp-server shared-network-name GUEST ping-check

config-parts/system-static_host_mapping.sh

@@ -1,40 +0,0 @@
-# Gateway
-set system static-host-mapping host-name gateway.jahanson.tech inet 10.1.0.1
-set system static-host-mapping host-name gateway.jahanson.tech alias vpn.hsn.dev
-set system static-host-mapping host-name gateway.jahanson.tech alias ipv4.hsn.dev
-
-# Unifi controller
-set system static-host-mapping host-name unifi inet 10.5.0.10
-
-# 1Password Connect
-set system static-host-mapping host-name onepassword-connect.hsn.dev inet 10.5.0.5
-
-# NAS
-set system static-host-mapping host-name elessar.jahanson.tech inet 10.1.1.11
-set system static-host-mapping host-name elessar.jahanson.tech alias nas.jahanson.tech
-set system static-host-mapping host-name elessar.jahanson.tech alias minio.hsn.dev
-set system static-host-mapping host-name elessar.jahanson.tech alias s3.hsn.dev
-
-# Home Assistant
-set system static-host-mapping host-name homeassistant.jahanson.tech inet 10.1.1.13
-
-# Kubernetes hosts
-set system static-host-mapping host-name gandalf.jahanson.tech inet 10.1.1.31
-set system static-host-mapping host-name glamdring.jahanson.tech inet 10.1.1.32
-set system static-host-mapping host-name shadowfax.jahanson.tech inet 10.1.1.33
-
-# Kubernetes cluster VIP
-set system static-host-mapping host-name cluster-0.jahanson.tech inet 10.5.0.2
-
-# Other hosts
-set system static-host-mapping host-name sting.jahanson.tech inet 10.1.1.12
-set system static-host-mapping host-name frodo.jahanson.tech inet 10.1.1.52
-set system static-host-mapping host-name frodo.jahanson.tech alias pikvm.jahanson.tech
-set system static-host-mapping host-name nextcloud.jahanson.tech inet 10.1.1.51
-
-set system static-host-mapping host-name driveway-camera-doorbell.jahanson.tech inet 10.1.4.12
-set system static-host-mapping host-name hallway-zigbee-adapter.jahanson.tech inet 10.1.3.46
-set system static-host-mapping host-name garage-tablet.jahanson.tech inet 10.1.3.54
-set system static-host-mapping host-name hallway-tablet.jahanson.tech inet 10.1.3.53
-set system static-host-mapping host-name livingroom-vacuum.jahanson.tech inet 10.1.3.18
-set system static-host-mapping host-name upstairs-vacuum.jahanson.tech inet 10.1.3.22

containers/.gitignore

@@ -4,7 +4,7 @@
 # Track certain files and directories
 !.gitignore
 
-!/coredns/
+!/bind/
 !/dnsdist/
 !/haproxy/
 !/unifi/

containers/bind/.gitignore

@@ -6,9 +6,8 @@
 
 !/config/
 /config/*
-!/config/Corefile
-!/config/custom-hosts
 
-!/config-vyos/
+!/config/named.conf
-/config-vyos/*
+!/config/zones/
-!/config-vyos/Corefile
+/config/zones/*
+!/config/zones/db.*

containers/bind/config/named.conf

@@ -0,0 +1,73 @@
+# Only define the known VLAN subnets as trusted
+acl "trusted" {
+  10.1.0.0/24;    # LAN
+  10.1.1.0/24;    # SERVERS
+  10.1.2.0/24;    # TRUSTED
+  10.1.3.0/24;    # IOT
+  10.1.4.0/24;    # VIDEO
+  192.168.2.0/24; # GUEST
+  10.0.11.0/24;   # WIREGUARD
+  10.5.0.0/24;    # SERVICES
+};
+
+options {
+  directory "/var/cache/bind";
+  listen-on { 127.0.0.1; 10.5.0.3; };
+
+  allow-recursion {
+    trusted;
+  };
+  allow-transfer {
+    none;
+  };
+  allow-update {
+    none;
+  };
+};
+
+logging {
+  channel stdout {
+    stderr;
+    severity info;
+    print-category yes;
+    print-severity yes;
+    print-time yes;
+  };
+  category security { stdout; };
+  category dnssec   { stdout; };
+  category default  { stdout; };
+};
+
+include "/etc/bind/rndc.key";
+include "/etc/bind/externaldns.key";
+
+controls {
+  inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
+};
+
+zone "unifi." {
+  type master;
+  file "/etc/bind/zones/db.unifi";
+};
+
+zone "jahanson.tech." {
+  type master;
+  file "/etc/bind/zones/db.jahanson.tech";
+};
+
+zone "hsn.dev." {
+  type master;
+  file "/etc/bind/zones/db.hsn.dev";
+  journal "/var/cache/bind/db.hsn.dev.jnl";
+  allow-transfer {
+    key "externaldns";
+  };
+  update-policy {
+    grant externaldns zonesub ANY;
+  };
+};
+
+zone "1.10.in-addr.arpa." {
+  type master;
+  file "/etc/bind/zones/db.1.10.in-addr.arpa";
+};

containers/bind/config/zones/db.1.10.in-addr.arpa

@@ -0,0 +1,36 @@
+; Make sure to update the epoch time in the SOA records so coreDNS picks up the changes automatically
+; https://www.epochconverter.com/
+
+; SOA Records
+$TTL 3600
+$ORIGIN 1.10.in-addr.arpa.
+@ 3600 IN SOA gateway.jahanson.tech. gateway.jahanson.tech. (
+  1683235219         ; serial number (epoch timestamp)
+  7200               ; refresh period
+  3600               ; retry period
+  1209600            ; expire time
+  3600               ; minimum ttl
+)
+
+; NS Records
+@                          IN  NS gateway.jahanson.tech.
+
+; Reset origin
+$ORIGIN in-addr.arpa.
+
+; LAN
+1.0.1.10                   IN  PTR  gateway.jahanson.tech.
+
+; Servers
+11.1.1.10                  IN  PTR  elessar.jahanson.tech.
+31.1.1.10                  IN  PTR  gandalf.jahanson.tech.
+32.1.1.10                  IN  PTR  glamdring.jahanson.tech.
+33.1.1.10                  IN  PTR  shadowfax.jahanson.tech.
+51.1.1.10                  IN  PTR  nextcloud.jahanson.tech.
+52.1.1.10                  IN  PTR  frodo.jahanson.tech.
+
+; IOT
+18.3.1.10                  IN  PTR  livingroom-vacuum.jahanson.tech.
+
+; Video
+12.4.1.10                  IN  PTR  driveway-camera.jahanson.tech.

containers/bind/config/zones/db.hsn.dev

@@ -0,0 +1,23 @@
+; Make sure to update the epoch time in the SOA records so coreDNS picks up the changes automatically
+; https://www.epochconverter.com/
+
+; SOA Records
+$TTL 3600
+$ORIGIN hsn.dev.
+@ 3600 IN SOA gateway.jahanson.tech. gateway.jahanson.tech. (
+  1683235219         ; serial number (epoch timestamp)
+  7200               ; refresh period
+  3600               ; retry period
+  1209600            ; expire time
+  3600               ; minimum ttl
+)
+
+; NS Records
+@                          IN  NS gateway.jahanson.tech.
+
+; Services
+onepassword-connect        IN  A 10.5.0.5
+
+; CNAME Records
+s3                         IN  CNAME nas.jahanson.tech.
+vpn                        IN  CNAME gateway.jahanson.tech.

containers/bind/config/zones/db.jahanson.tech

@@ -0,0 +1,41 @@
+; Make sure to update the epoch time in the SOA records so coreDNS picks up the changes automatically
+; https://www.epochconverter.com/
+
+; SOA Records
+$TTL 3600
+$ORIGIN jahanson.tech.
+@ 3600 IN SOA gateway.jahanson.tech. gateway.jahanson.tech. (
+  1683235219         ; serial number (epoch timestamp)
+  7200               ; refresh period
+  3600               ; retry period
+  1209600            ; expire time
+  3600               ; minimum ttl
+)
+
+; NS Records
+@                          IN  NS gateway.jahanson.tech.
+
+; LAN
+gateway                    IN  A  10.1.0.1
+
+; Servers
+elessar                    IN  A  10.1.1.11
+gandalf                    IN  A  10.1.1.31
+glamdring                  IN  A  10.1.1.32
+shadowfax                  IN  A  10.1.1.33
+nextcloud                  IN  A  10.1.1.51
+frodo                      IN  A  10.1.1.52
+
+; IOT
+livingroom-vacuum          IN  A  10.1.3.18
+
+; Video
+driveway-camera        l   IN  A  10.1.4.12
+
+; Services
+cluster-0                  IN  A  10.5.0.2
+
+; CNAME records
+nas                        IN  CNAME  elessar.jahanson.tech.
+pikvm                      IN  CNAME  frodo.jahanson.tech.
+s3                         IN  CNAME  gateway.jahanson.tech.

containers/bind/config/zones/db.unifi

@@ -0,0 +1,19 @@
+; Make sure to update the epoch time in the SOA records so coreDNS picks up the changes automatically
+; https://www.epochconverter.com/
+
+; SOA Records
+$TTL 3600
+$ORIGIN unifi.
+@ 3600 IN SOA gateway.jahanson.tech. gateway.jahanson.tech. (
+  1683235219         ; serial number (epoch timestamp)
+  7200               ; refresh period
+  3600               ; retry period
+  1209600            ; expire time
+  3600               ; minimum ttl
+)
+
+; NS Records
+@                          IN  NS gateway.jahanson.tech.
+
+; CNAME Records
+@                          IN  A  10.5.0.10

containers/coredns/config/Corefile

@@ -1,60 +0,0 @@
-(common) {
-  errors
-  log error
-  reload
-  loadbalance
-  cache
-  loop
-  local
-
-  prometheus :9153
-
-  health {
-    lameduck 5s
-  }
-}
-
-(k8s_gateway) {
-  forward . 10.45.0.3:53
-}
-
-unifi {
-  import common
-  hosts /host/etc/hosts {
-    ttl 1
-    reload 5s
-  }
-}
-
-# Hack to prevent the gatway returning 127.0.0.1 from /etc/hosts
-gateway.jahanson.tech {
-  import common
-  template IN A gateway.jahanson.tech {
-    answer "{{ .Name }} 60 IN A 10.1.0.1"
-  }
-}
-
-hsn.dev {
-  import common
-  hosts /host/etc/hosts {
-    ttl 1
-    reload 5s
-    fallthrough
-  }
-  import k8s_gateway
-}
-
-jahanson.tech {
-  import common
-  hosts /host/etc/hosts {
-    ttl 1
-    reload 5s
-  }
-}
-
-1.10.in-addr.arpa {
-  hosts /host/etc/hosts {
-    ttl 1
-    reload 5s
-  }
-}

containers/dnsdist/config/dnsdist.conf

@@ -1,46 +1,47 @@
 -- udp/tcp dns listening
 setLocal("0.0.0.0:53", {})
 
--- Local CoreDNS
+-- Local Bind
 newServer({
   address = "10.5.0.3",
-  pool = "coredns"
+  pool = "bind",
+  checkName = "gateway.jahanson.tech"
 })
 
--- ControlD - Servers
+-- NextDNS - Servers
 newServer({
-  address = "76.76.2.22:443",
+  address = "188.172.251.1:443",
   tls = "openssl",
-  subjectName = "dns.controld.com",
+  subjectName = "8d3cd7.dns.nextdns.io",
-  dohPath = "/14pk0z49y0u",
+  dohPath = "/8d3cd7",
   validateCertificates = true,
   checkInterval = 10,
   checkTimeout = 2000,
-  pool = "controld_servers"
+  pool = "nextdns_servers"
 })
 
--- ControlD - Trusted
+-- NextDNS - Trusted
 newServer({
-  address = "76.76.2.22:443",
+  address = "188.172.251.1:443",
   tls = "openssl",
-  subjectName = "dns.controld.com",
+  subjectName = "d79ecb.dns.nextdns.io",
-  dohPath = "/7l9xgidtyr",
+  dohPath = "/d79ecb",
   validateCertificates = true,
   checkInterval = 10,
   checkTimeout = 2000,
-  pool = "controld_trusted"
+  pool = "nextdns_trusted"
 })
 
--- ControlD - IoT
+-- NextDNS - IoT
 newServer({
-  address = "76.76.2.22:443",
+  address = "188.172.251.1:443",
   tls = "openssl",
-  subjectName = "dns.controld.com",
+  subjectName = "e29a3c.dns.nextdns.io",
-  dohPath = "/227g88d4fp5",
+  dohPath = "/e29a3c",
   validateCertificates = true,
   checkInterval = 10,
   checkTimeout = 2000,
-  pool = "controld_iot"
+  pool = "nextdns_iot"
 })
 
 -- CloudFlare DNS over TLS
@@ -78,14 +79,15 @@ getPool(""):setCache(pc)
 -- addResponseAction(AllRule(), LogResponseAction("", false, true, false, false))
 
 -- Routing rules
-addAction('unifi', PoolAction('coredns'))
-addAction('hsn.dev', PoolAction('coredns'))
-addAction('jahanson.tech', PoolAction('coredns'))
-addAction('1.10.in-addr.arpa', PoolAction('coredns'))
-
-addAction("10.1.0.0/24", PoolAction("controld_servers"))  -- lan
-addAction("10.1.1.0/24", PoolAction("controld_servers"))  -- servers vlan
-addAction("10.1.2.0/24", PoolAction("controld_trusted"))  -- trusted vlan
-addAction("10.1.3.0/24", PoolAction("controld_iot"))      -- iot vlan
-addAction("10.0.11.0/24", PoolAction("controld_trusted")) -- wg_trusted vlan
 addAction("192.168.2.0/24", PoolAction("cloudflare"))     -- guest vlan
+addAction("192.168.2.0/24", DropAction())                 -- stop processing
+addAction('unifi', PoolAction('bind'))
+addAction('hsn.dev', PoolAction('bind'))
+addAction('jahanson.tech', PoolAction('bind'))
+addAction('1.10.in-addr.arpa', PoolAction('bind'))
+
+addAction("10.1.0.0/24", PoolAction("nextdns_servers"))  -- lan
+addAction("10.1.1.0/24", PoolAction("nextdns_servers"))  -- servers vlan
+addAction("10.1.2.0/24", PoolAction("nextdns_trusted"))  -- trusted vlan
+addAction("10.1.3.0/24", PoolAction("nextdns_iot"))      -- iot vlan
+addAction("10.0.11.0/24", PoolAction("nextdns_trusted")) -- wg_trusted vlan