From f58b71e8d38393427dac89a89a78504194aed08d Mon Sep 17 00:00:00 2001 From: Jack O'Sullivan Date: Sat, 23 Dec 2023 00:49:02 +0000 Subject: [PATCH] nixos/britway: Use internal addresses for DNS --- nixos/boxes/britway/tailscale.nix | 14 +++++++++----- nixos/boxes/colony/vms/estuary/dns.nix | 2 +- nixos/boxes/home/routing-common/dns.nix | 2 +- nixos/boxes/home/routing-common/kea.nix | 2 +- nixos/boxes/home/routing-common/radvd.nix | 2 +- 5 files changed, 13 insertions(+), 9 deletions(-) diff --git a/nixos/boxes/britway/tailscale.nix b/nixos/boxes/britway/tailscale.nix index 15c4d76..fe071cd 100644 --- a/nixos/boxes/britway/tailscale.nix +++ b/nixos/boxes/britway/tailscale.nix @@ -49,15 +49,19 @@ in noise.private_key_path = "/var/lib/headscale/noise_private.key"; ip_prefixes = with lib.my.c.tailscale.prefix; [ v4 v6 ]; dns_config = { + # Use IPs that will route inside the VPN to prevent interception + # (e.g. DNS rebinding filtering) restricted_nameservers = { "${domain}" = pubNameservers; - "${lib.my.c.colony.domain}" = with allAssignments.estuary.internal; [ + "${lib.my.c.colony.domain}" = with allAssignments.estuary.base; [ ipv4.address ipv6.address ]; - "${lib.my.c.home.domain}" = lib.my.c.home.routersPubV4 ++ ([ - allAssignments.river.as211024.ipv6.address - allAssignments.stream.as211024.ipv6.address - ]); + "${lib.my.c.home.domain}" = with allAssignments; [ + river.hi.ipv4.address + river.hi.ipv6.address + stream.hi.ipv4.address + stream.hi.ipv6.address + ]; }; magic_dns = true; base_domain = "ts.${pubDomain}"; diff --git a/nixos/boxes/colony/vms/estuary/dns.nix b/nixos/boxes/colony/vms/estuary/dns.nix index 090b351..f213a66 100644 --- a/nixos/boxes/colony/vms/estuary/dns.nix +++ b/nixos/boxes/colony/vms/estuary/dns.nix @@ -52,7 +52,7 @@ in allowFrom = [ "127.0.0.0/8" "::1/128" prefixes.all.v4 prefixes.all.v6 - ]; + ] ++ (with lib.my.c.tailscale.prefix; [ v4 v6 ]); }; settings = { diff --git a/nixos/boxes/home/routing-common/dns.nix b/nixos/boxes/home/routing-common/dns.nix index b08cfff..d4a142d 100644 --- a/nixos/boxes/home/routing-common/dns.nix +++ b/nixos/boxes/home/routing-common/dns.nix @@ -42,7 +42,7 @@ in "127.0.0.0/8" "::1/128" prefixes.hi.v4 prefixes.hi.v6 prefixes.lo.v4 prefixes.lo.v6 - ]; + ] ++ (with lib.my.c.tailscale.prefix; [ v4 v6 ]); }; settings = { diff --git a/nixos/boxes/home/routing-common/kea.nix b/nixos/boxes/home/routing-common/kea.nix index a92a4e7..fd5b896 100644 --- a/nixos/boxes/home/routing-common/kea.nix +++ b/nixos/boxes/home/routing-common/kea.nix @@ -55,7 +55,7 @@ in } { name = "domain-search"; - data = "${domain}, dyn.${domain}"; + data = "${domain}, dyn.${domain}, ${lib.my.c.colony.domain}, ${lib.my.c.britway.domain}"; always-send = true; } ]; diff --git a/nixos/boxes/home/routing-common/radvd.nix b/nixos/boxes/home/routing-common/radvd.nix index 88dde3c..fe186b5 100644 --- a/nixos/boxes/home/routing-common/radvd.nix +++ b/nixos/boxes/home/routing-common/radvd.nix @@ -11,7 +11,7 @@ let AdvLinkMTU ${toString prefixes."${name}".mtu}; prefix ${prefixes."${name}".v6} {}; RDNSS ${net.cidr.host 1 prefixes."${name}".v6} ${net.cidr.host 2 prefixes."${name}".v6} {}; - DNSSL ${domain} dyn.${domain} {}; + DNSSL ${domain} dyn.${domain} ${lib.my.c.colony.domain} ${lib.my.c.britway.domain} {}; }; ''; in