Improve DNS configuration

Add Unbound server that separates queries between those going to Consul
and those going elsewhere.  This allows us to have DNS working even if
Consul fails for some reason. This way we can also remove the secondary
`nameserver` entry in /etc/resolv.conf, thus fixing a bug where certain
containers (Alpine-based images?) were using the secondary resolver some
of the time, making them unable to access .consul hosts.
This commit is contained in:
Alex 2022-08-30 15:52:42 +02:00
parent e81716e41e
commit 6ec9aad801
Signed by untrusted user: lx
GPG key ID: 0E496D15096376BE

View file

@ -165,9 +165,46 @@ in
interface = cfg.network_interface; interface = cfg.network_interface;
}; };
# Configure Unbound DNS to redirect to Consul queries under .consul
# and to pass directly to public DNS resolver all others
services.unbound = {
enable = true;
settings = {
server = {
interface = [ "127.0.0.1" "${cfg.lan_ip}" ];
domain-insecure = [ "consul." ];
local-zone = [ "consul. nodefault" ];
log-servfail = true;
access-control = [
"127.0.0.0/8 allow"
"${cfg.lan_ip}/${toString cfg.lan_ip_prefix_length} allow"
"172.17.0.0/16 allow"
];
};
forward-zone = [
# Forward .consul queries to Consul daemon
{
name = "consul.";
forward-addr = "${cfg.lan_ip}@8600";
forward-no-cache = true;
forward-tcp-upstream = false;
forward-tls-upstream = false;
}
# Forward all queries to our ISP's nameserver
{
name = ".";
forward-addr = cfg.nameservers;
forward-first = true;
}
];
};
resolveLocalQueries = false; # don't overwrite our resolv.conf
};
# Reach Unbound through the IP of our LAN interface,
# instead of 127.0.0.1 (this will also work in Docker containers)
networking.nameservers = [ networking.nameservers = [
cfg.lan_ip cfg.lan_ip
] ++ cfg.nameservers; ];
# Configure Wireguard VPN between all nodes # Configure Wireguard VPN between all nodes
networking.wireguard.interfaces.wg0 = { networking.wireguard.interfaces.wg0 = {
@ -212,14 +249,11 @@ in
ports = { ports = {
http = -1; http = -1;
https = 8501; https = 8501;
dns = 53;
}; };
performance = { performance = {
rpc_hold_timeout = "70s"; rpc_hold_timeout = "70s";
}; };
recursors = [ cfg.nameservers ];
ca_file = "/var/lib/consul/pki/consul-ca.crt"; ca_file = "/var/lib/consul/pki/consul-ca.crt";
cert_file = "/var/lib/consul/pki/consul2022.crt"; cert_file = "/var/lib/consul/pki/consul2022.crt";
key_file = "/var/lib/consul/pki/consul2022.key"; key_file = "/var/lib/consul/pki/consul2022.key";