update readme
This commit is contained in:
parent
0ce4fda758
commit
83fee9bd9f
1 changed files with 11 additions and 3 deletions
14
README.md
14
README.md
|
@ -9,7 +9,15 @@ This will in general not work, because the public IP address is only assigned on
|
||||||
|
|
||||||
One solution is to overwrite DNS requests from the DMZ to the router if they query these VMs.
|
One solution is to overwrite DNS requests from the DMZ to the router if they query these VMs.
|
||||||
However, then the router needs to operate on the DMZ vlan, which is not ideal in terms of security.
|
However, then the router needs to operate on the DMZ vlan, which is not ideal in terms of security.
|
||||||
|
Additionally, it would be nice to define the DNS in the DMZ in terms of infrastructure as code.
|
||||||
|
|
||||||
This solution creates a seperate VM on the DMZ that acts as the DNS server.
|
This solution creates a seperate VM on the DMZ that acts as the DNS and DHCP server.
|
||||||
Dnsmasq checks whether a request is made for a DMZ server and forwards this to an NSD server.
|
Concretely, Dnsmasq does DHCPv4 and assigns DNS names according to hostnames.
|
||||||
This NSD server pretends to be authoritative for these requests and returns their DMZ internal IP addresses.
|
Additionally, it tries to match IPv6 addresses using the SLAAC algorithm in order to incorporate them as AAAA records in DNS as well (using `ra-names`).
|
||||||
|
Dnsmasq also overwrites the public IP address to `192.168.30.3`.
|
||||||
|
|
||||||
|
What is needed from the router:
|
||||||
|
- Static IPv4 addresses on the DMZ interface (`192.168.30.1/24`).
|
||||||
|
- Static IPv6 addresses on the DMZ interface (`2a02:58:19a:f730::1/64`).
|
||||||
|
- DNS domain override for `geokunis2.nl`, `pizzapim.nl`, `pim.kunis.nl` and `dmz` to `192.18.30.7`.
|
||||||
|
- `unmanaged` IPv6 router advertisements on the DMZ interface.
|
||||||
|
|
Reference in a new issue