hosts/plover: improve DNS server configuration

2025-03-13 18:19:00 +00:00 · 2023-02-10 15:57:34 +08:00 · 2023-02-10 15:57:34 +08:00 · 7aca74924c
commit 7aca74924c
parent 0e16da4c45
2 changed files with 59 additions and 87 deletions
--- a/hosts/plover/config/coredns/foodogsquared.one.zone
+++ b/hosts/plover/config/coredns/foodogsquared.one.zone
@ -1,18 +1,18 @@
 ; This is trying to be discrete with certain information. This should be copied
 ; and replaced with more confidential information somewhere.
-
-; Take note we're not making the NS record type since it will be dynamically
-; queried by the DNS server.
 $TTL 2h
 $ORIGIN @domain@

-@	IN	SOA	@dnsSubdomain@.@domain@	@email@ (
-				2023020800	; serial number
-				3h		; refresh
+; Take note we're not making the NS record type since it will be dynamically
+; queried by the DNS server.
+@	IN	SOA	@dnsNameserver@ @dnsEmail@ (
+				2023021002	; serial number
+				2h		; refresh
 				15m		; update retry
 				3w		; expiry
 				3h		; nx = nxdomain ttl
-				)
+			)
+@dnsNameservers@

 ; Setting up the mail-related DNS entries.
 ; For future references, please the see the following document at
@ -21,12 +21,12 @@ $ORIGIN @domain@
 	IN	MX	10 mxext2.mailbox.org
 	IN	MX	20 mxext3.mailbox.org
 	IN	TXT	v=spf1 include:mailbox.org ~all
-_dmarc	IN	TXT	v=DMARC1;p=none;rua=mailto:postmaster@foodogsquared.one
-mbo0001._domainkey	IN	CNAME	mbo0001._domainkey.mailbox.org.
-mbo0002._domainkey	IN	CNAME	mbo0002._domainkey.mailbox.org.
-mbo0003._domainkey	IN	CNAME	mbo0003._domainkey.mailbox.org.
-mbo0004._domainkey	IN	CNAME	mbo0004._domainkey.mailbox.org.
-#mailboxSecurityKey#	IN	TXT	#mailboxSecurityKeyRecord#
+_dmarc.	IN	TXT	v=DMARC1;p=none;rua=mailto:postmaster@foodogsquared.one
+mbo0001._domainkey.	IN	CNAME	mbo0001._domainkey.mailbox.org.
+mbo0002._domainkey.	IN	CNAME	mbo0002._domainkey.mailbox.org.
+mbo0003._domainkey.	IN	CNAME	mbo0003._domainkey.mailbox.org.
+mbo0004._domainkey.	IN	CNAME	mbo0004._domainkey.mailbox.org.
+#mailboxSecurityKey#.	IN	TXT	#mailboxSecurityKeyRecord#

 ; My websites that are deployed by somewhere else.
@	IN	ALIAS	apex-loadbalancer.netlify.com.
@ -34,26 +34,26 @@ www	IN	CNAME	foodogsquared.netlify.app.
 wiki	IN	CNAME	foodogsquared-wiki.netlify.app.

 ; Public-facing services from this server.
-auth	IN	A	@publicIPv4@
-auth	IN	AAAA	@publicIPv6@
+auth.	IN	A	@publicIPv4@
+auth.	IN	AAAA	@publicIPv6@

-pass	IN	A	@publicIPv4@
-pass	IN	AAAA	@publicIPv6@
+pass.	IN	A	@publicIPv4@
+pass.	IN	AAAA	@publicIPv6@

-code	IN	A	@publicIPv4@
-code	IN	AAAA	@publicIPv6@
+code.	IN	A	@publicIPv4@
+code.	IN	AAAA	@publicIPv6@

 ; Other things.
-_github-pages-challenge-foo-dogsquared	IN	TXT	673febae1ea0095e76d1e02a7a1709
+_github-pages-challenge-foo-dogsquared.	IN	TXT	673febae1ea0095e76d1e02a7a1709

 ; Setting up SendGrid.
 ; This is for rewriting tracking links to my domain.
-url2871	IN	CNAME	sendgrid.net
-30339354	IN	CNAME	sendgrid.net
+url2871.	IN	CNAME	sendgrid.net
+30339354.	IN	CNAME	sendgrid.net

 ; This is for SendGrid sender authentication.
-em1172	IN	CNAME	u30339354.wl105.sendgrid.net
-s1._domainkey	IN	CNAME	s1.domainkey.u30339354.wl105.sendgrid.net
-s2._domainkey	IN	CNAME	s2.domainkey.u30339354.wl105.sendgrid.net
+em1172.	IN	CNAME	u30339354.wl105.sendgrid.net
+s1._domainkey.	IN	CNAME	s1.domainkey.u30339354.wl105.sendgrid.net
+s2._domainkey.	IN	CNAME	s2.domainkey.u30339354.wl105.sendgrid.net

 ; vim: expandtab! tabstop=8 shiftwidth=8 filetype=dns
--- a/hosts/plover/modules/services/coredns.nix
+++ b/hosts/plover/modules/services/coredns.nix
@ -11,25 +11,20 @@ let
  dnsSubdomain = "ns1";
  dnsDomainName = "${dnsSubdomain}.${domain}";
  certs = config.security.acme.certs;
-  dnsEmail = "hostmaster.${domain}";
-
-  # This is the part of the SOA record. You'll have to modify it here instead
-  # of modifying a zone file since it does not play well with a dynamically
-  # configured server it seems.
-  dnsSerialNumber = "2023020800";
-	dnsRefresh = "3h";
-	dnsUpdateRetry = "15m";
-	dnsExpiry = "3w";
-	dnsNxTTL = "3h";

  corednsServiceName = "coredns";

  domainZoneFile = pkgs.substituteAll {
    src = ../../config/coredns/${domain}.zone;
    inherit domain dnsSubdomain;
-    email = dnsEmail;
+    dnsEmail = "dns.hetzner.com.";
    publicIPv4 = interfaces.main'.IPv4.address;
    publicIPv6 = interfaces.main'.IPv6.address;
+    dnsNameserver = lib.head secondaryNameserverDomains;
+    dnsNameservers = lib.concatStringsSep "\n"
+      (lib.lists.map
+        (ns: "\tIN\tNS\t${ns}")
+        secondaryNameserverDomains);
  };

  secondaryNameserverDomains = lib.attrNames secondaryNameServers;
@ -91,78 +86,55 @@ in
    #
    # https://docs.hetzner.com/dns-console/dns/general/dnssec
    config = ''
-      (common) {
+      . {
        forward . /etc/resolv.conf
        log
-        cache
        errors
-      }

-      ${fqdn} {
-        import common
-
-        bind ${interfaces.internal.IPv4.address} ${interfaces.internal.IPv6.address}
-
-        local
-
-        acl {
-          allow net ${lib.concatStringsSep " " (clientNetworks ++ serverNetworks)}
-          block
-        }
-
-        # We're just setting up a dummy SOA. If the authority section is
-        # missing, it will be considered invalid and might not play nice with
-        # the other things that rely on the DNS server so we'll play nice.
-        template ANY ANY {
-          authority "{{ .Zone }} IN SOA {{ .Zone }} ${dnsEmail} (1 60 60 60 60)"
-          fallthrough
-        }
-
-        template IN A {
-          answer "{{ .Zone }} IN 60 A ${interfaces.internal.IPv4.address}"
-          answer "{{ .Zone }} IN 60 A ${interfaces.internal.IPv4.address}"
-        }
-
-        template IN AAAA {
-          answer "{{ .Zone }} IN 60 AAAA ${interfaces.internal.IPv6.address}"
-          answer "{{ .Zone }} IN 60 AAAA ${interfaces.internal.IPv6.address}"
-        }
-      }
-
-      ${domain} {
-        import common
-
-        bind lo {
+        bind lo ${interfaces.internal.IPv4.address} ${interfaces.internal.IPv6.address} {
          # These are already taken from systemd-resolved.
          except 127.0.0.53 127.0.0.54
        }

-        acl {
+        acl ${domain} {
          # We're setting this up as a "hidden" primary server.
          allow type AXFR net ${lib.concatStringsSep " " secondaryNameServersIPs}
          allow type IXFR net ${lib.concatStringsSep " " secondaryNameServersIPs}
-          block type AXFR
-          block type IXFR
+
+          # Allowing this for debugging.
+          allow net 127.0.0.0/8 ::1
+
+          # Otherwise, it's just really a primary server that is hidden
+          # somewhere (or just very shy, whichever of the two).
+          block
        }

-        template IN NS {
-          ${lib.concatStringsSep "\n    "
-            (lib.lists.map
-              (ns: ''answer "{{ .Zone }} IN NS ${ns}"'')
-              secondaryNameserverDomains)}
+        transfer ${domain} {
+          to *
        }

        file ${domainZoneFile'}

-        transfer {
-          to *
+        # ${fqdn} DNS server blocks. This is an internal DNS server so we'll
+        # only allow queries from the internal network.
+        acl ${fqdn} {
+          allow net ${lib.concatStringsSep " " (clientNetworks ++ serverNetworks)}
+          allow net 127.0.0.0/8 ::1
+          block
+        }
+
+        template IN A ${fqdn} {
+          answer "{{ .Name }} IN 60 A ${interfaces.internal.IPv4.address}"
+        }
+
+        template IN AAAA ${fqdn} {
+          answer "{{ .Name }} IN 60 AAAA ${interfaces.internal.IPv6.address}"
        }
      }

-      tls://${domain} {
-        import common
-
+      tls://. {
        tls {$CREDENTIALS_DIRECTORY}/cert.pem {$CREDENTIALS_DIRECTORY}/key.pem {$CREDENTIALS_DIRECTORY}/fullchain.pem
+        forward . /etc/resolv.conf
      }
    '';
  };