DNmesS

By chimo on (updated on )

A post about the current state of my DNS infrastructure. Once again acting as a reminder of how my own things work, because I need to re-learn it every eight months or so when troubleshooting something.

To start with, a graph:


.dot source

The graph can be summarized as follows:

  • All DNS requests from the LAN go through the “unbound (ad-blocker)” container.
  • The “unbound (ad-blocker)” sends the non-blocked requests to an “unbound” service on the VPS over site-to-site VPN tunnel.
  • The VPS’s “unbound” service resolves (not forwards) the requests.

The main ideas behind this setup are twofold:

  1. Block ads
  2. Rely on as few third-parties I don’t control as possible (query the DNS roots – gotta trust someone at some point – not some intermediate like 8.8.8.8 or some such)

There's also the part about DNS within the "VPS" environment:

  • Requests to “lxc.chromic.org” are delegated to the Incus dnsmasq and resolve to the individual containers. This domain is not accessible outside the VPS.
  • Requests to “.home” are delegated to the “unbound ad-blocker” container on the LAN (via the site-to-site VPN tunnel).
  • All other requests are handled by a standalone “dnsmasq” which forwards the requests to the Linode DNS resolvers.

The "two dnsmasq instances" situation here is a result of... I don't know... time passing and things changing, I think. I'm pretty sure I had "dnsmasq" running for... something. After that, I started looking into LXC/LXD, which brought its own dnsmasq instance. Finally, I added unbound to integrate with home? Maybe?

So I think what I'd like to do there is get rid of the standalone dnsmasq and send those requests to unbound instead. One less process.

Then, I'd like to look into the possibility of moving unbound in a container. This means that this particular container will need a nic on the IPSec CIDR. Which is probably fine, I just need to take the time to look into that.

Something I'd also like to setup is domains for the different Incus instances I have on the LAN and delegate where appropriate. Something like:

  • xps.lxc.home
  • zer0-day.lxc.home
  • logic-b0mb.lxc.home (yes I have another Incus instance not pictured above…)

Before doing this, however, I'd like to cleanup and streamline all the different Incus clusters I have. They've all been setup at different points-in-time and are configured differently. For example, here's a snippet of `incus network list` from different clusters: 

  |   NAME   |   TYPE   | MANAGED |      IPV4       |
  | lxdbr0   |  bridge  |   YES   | 10.118.161.1/24 |
  | incusbr0 |  bridge  |   YES   | 10.0.4.1/24     |
  | lxcbr0   |  bridge  |   NO    |                 |
  | lxcbr0   |  bridge  |   NO    |                 |

We can see I have some things from the LXC-era, the LXD-era and the Incus-era. The names of the interfaces aren't the issue here, but they are an indication of things being configured differently over time (a more important column is the "MANAGED" one, for example).

Finally, I want to evaluate DNS-over-HTTPS (DoH) and look at DANE/DNSSEC again (which was the intention a long time ago, but I never got around to it.).