29 lines
1.6 KiB
Markdown
29 lines
1.6 KiB
Markdown
|
# Hermes
|
||
|
|
||
|
Hermes is the virtual machine that performs DHCP and DNS on our DMZ network.
|
||
|
It also acts as a SSH certificate authority.
|
||
|
|
||
|
The VM is provisioned using Terraform and configured using Ansible.
|
||
|
|
||
|
## Motivation
|
||
|
|
||
|
The VMs on our DMZ might like to contact eachother.
|
||
|
For example, one VM wants to clone a repository from the git server.
|
||
|
However, because our home network is NATed, a DNS lookup of these servers will result in our public IP address.
|
||
|
This will in general not work, because the public IP address is only assigned on the WAN port of the router.
|
||
|
|
||
|
One solution is to overwrite DNS requests from the DMZ to the router if they query these VMs.
|
||
|
However, then the router needs to operate on the DMZ vlan, which is not ideal in terms of security.
|
||
|
Additionally, it would be nice to define the DNS in the DMZ in terms of infrastructure as code.
|
||
|
|
||
|
This solution creates a seperate VM on the DMZ that acts as the DNS and DHCP server.
|
||
|
Concretely, Dnsmasq does DHCPv4 and assigns DNS names according to hostnames and MAC addresses.
|
||
|
Additionally, it tries to match IPv6 addresses using the SLAAC algorithm in order to incorporate them as AAAA records in DNS as well (using `ra-names`).
|
||
|
Dnsmasq also overwrites the public IP address to `192.168.30.3` to solve the above problem.
|
||
|
|
||
|
What is needed from the router:
|
||
|
- Static IPv4 addresses on the DMZ interface (`192.168.30.1/24`).
|
||
|
- Static IPv6 addresses on the DMZ interface (`2a02:58:19a:f730::1/64`).
|
||
|
- DNS domain override for `geokunis2.nl`, `pizzapim.nl`, `pim.kunis.nl` and `dmz` to `192.18.30.7`.
|
||
|
- `unmanaged` (SLAAC) IPv6 router advertisements on the DMZ interface.
|