23 lines
1.4 KiB
Markdown
23 lines
1.4 KiB
Markdown
# dmz-dns-vm
|
|
|
|
Provisions a VM using libvirt which acts as the DNS server on our DMZ network.
|
|
|
|
The VMs on our DMZ might like to contact eachother.
|
|
For example, one VM wants to clone a repository from the git server.
|
|
However, because our home network is NATed, a DNS lookup of these servers will result in our public IP address.
|
|
This will in general not work, because the public IP address is only assigned on the WAN port of the router.
|
|
|
|
One solution is to overwrite DNS requests from the DMZ to the router if they query these VMs.
|
|
However, then the router needs to operate on the DMZ vlan, which is not ideal in terms of security.
|
|
Additionally, it would be nice to define the DNS in the DMZ in terms of infrastructure as code.
|
|
|
|
This solution creates a seperate VM on the DMZ that acts as the DNS and DHCP server.
|
|
Concretely, Dnsmasq does DHCPv4 and assigns DNS names according to hostnames.
|
|
Additionally, it tries to match IPv6 addresses using the SLAAC algorithm in order to incorporate them as AAAA records in DNS as well (using `ra-names`).
|
|
Dnsmasq also overwrites the public IP address to `192.168.30.3`.
|
|
|
|
What is needed from the router:
|
|
- Static IPv4 addresses on the DMZ interface (`192.168.30.1/24`).
|
|
- Static IPv6 addresses on the DMZ interface (`2a02:58:19a:f730::1/64`).
|
|
- DNS domain override for `geokunis2.nl`, `pizzapim.nl`, `pim.kunis.nl` and `dmz` to `192.18.30.7`.
|
|
- `unmanaged` IPv6 router advertisements on the DMZ interface.
|