From f3729e05455787a58f3395af64791a27849279f6 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Tue, 26 Dec 2023 10:05:31 +0000 Subject: [PATCH] Add legacy/projects/hermes/README.md --- legacy/projects/hermes/README.md | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 legacy/projects/hermes/README.md diff --git a/legacy/projects/hermes/README.md b/legacy/projects/hermes/README.md new file mode 100644 index 0000000..8bb0c05 --- /dev/null +++ b/legacy/projects/hermes/README.md @@ -0,0 +1,28 @@ +# Hermes + +Hermes is the virtual machine that performs DHCP and DNS on our DMZ network. +It also acts as a SSH certificate authority. + +The VM is provisioned using Terraform and configured using Ansible. + +## Motivation + +The VMs on our DMZ might like to contact eachother. +For example, one VM wants to clone a repository from the git server. +However, because our home network is NATed, a DNS lookup of these servers will result in our public IP address. +This will in general not work, because the public IP address is only assigned on the WAN port of the router. + +One solution is to overwrite DNS requests from the DMZ to the router if they query these VMs. +However, then the router needs to operate on the DMZ vlan, which is not ideal in terms of security. +Additionally, it would be nice to define the DNS in the DMZ in terms of infrastructure as code. + +This solution creates a seperate VM on the DMZ that acts as the DNS and DHCP server. +Concretely, Dnsmasq does DHCPv4 and assigns DNS names according to hostnames and MAC addresses. +Additionally, it tries to match IPv6 addresses using the SLAAC algorithm in order to incorporate them as AAAA records in DNS as well (using `ra-names`). +Dnsmasq also overwrites the public IP address to `192.168.30.3` to solve the above problem. + +What is needed from the router: +- Static IPv4 addresses on the DMZ interface (`192.168.30.1/24`). +- Static IPv6 addresses on the DMZ interface (`2a02:58:19a:f730::1/64`). +- DNS domain override for `geokunis2.nl`, `pizzapim.nl`, `pim.kunis.nl` and `dmz` to `192.18.30.7`. +- `unmanaged` (SLAAC) IPv6 router advertisements on the DMZ interface.