From 83fee9bd9fa6fc9cb0ecf86fb8e595ef8aec327a Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Mon, 13 Mar 2023 09:36:04 +0100 Subject: [PATCH] update readme --- README.md | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 9d007e7..f015bfa 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,15 @@ This will in general not work, because the public IP address is only assigned on One solution is to overwrite DNS requests from the DMZ to the router if they query these VMs. However, then the router needs to operate on the DMZ vlan, which is not ideal in terms of security. +Additionally, it would be nice to define the DNS in the DMZ in terms of infrastructure as code. -This solution creates a seperate VM on the DMZ that acts as the DNS server. -Dnsmasq checks whether a request is made for a DMZ server and forwards this to an NSD server. -This NSD server pretends to be authoritative for these requests and returns their DMZ internal IP addresses. +This solution creates a seperate VM on the DMZ that acts as the DNS and DHCP server. +Concretely, Dnsmasq does DHCPv4 and assigns DNS names according to hostnames. +Additionally, it tries to match IPv6 addresses using the SLAAC algorithm in order to incorporate them as AAAA records in DNS as well (using `ra-names`). +Dnsmasq also overwrites the public IP address to `192.168.30.3`. + +What is needed from the router: +- Static IPv4 addresses on the DMZ interface (`192.168.30.1/24`). +- Static IPv6 addresses on the DMZ interface (`2a02:58:19a:f730::1/64`). +- DNS domain override for `geokunis2.nl`, `pizzapim.nl`, `pim.kunis.nl` and `dmz` to `192.18.30.7`. +- `unmanaged` IPv6 router advertisements on the DMZ interface.