nixos/britway: Use internal addresses for DNS

nixos/boxes/britway/tailscale.nix

@@ -49,15 +49,19 @@ in
           noise.private_key_path = "/var/lib/headscale/noise_private.key";
           ip_prefixes = with lib.my.c.tailscale.prefix; [ v4 v6 ];
           dns_config = {
+            # Use IPs that will route inside the VPN to prevent interception
+            # (e.g. DNS rebinding filtering)
             restricted_nameservers = {
               "${domain}" = pubNameservers;
-              "${lib.my.c.colony.domain}" = with allAssignments.estuary.internal; [
+              "${lib.my.c.colony.domain}" = with allAssignments.estuary.base; [
                 ipv4.address ipv6.address
               ];
-              "${lib.my.c.home.domain}" = lib.my.c.home.routersPubV4 ++ ([
-                allAssignments.river.as211024.ipv6.address
-                allAssignments.stream.as211024.ipv6.address
-              ]);
+              "${lib.my.c.home.domain}" = with allAssignments; [
+                river.hi.ipv4.address
+                river.hi.ipv6.address
+                stream.hi.ipv4.address
+                stream.hi.ipv6.address
+              ];
             };
             magic_dns = true;
             base_domain = "ts.${pubDomain}";

nixos/boxes/colony/vms/estuary/dns.nix

@@ -52,7 +52,7 @@ in
           allowFrom = [
             "127.0.0.0/8" "::1/128"
             prefixes.all.v4 prefixes.all.v6
-          ];
+          ] ++ (with lib.my.c.tailscale.prefix; [ v4 v6 ]);
         };
 
         settings = {

nixos/boxes/home/routing-common/dns.nix

@@ -42,7 +42,7 @@ in
             "127.0.0.0/8" "::1/128"
             prefixes.hi.v4 prefixes.hi.v6
             prefixes.lo.v4 prefixes.lo.v6
-          ];
+          ] ++ (with lib.my.c.tailscale.prefix; [ v4 v6 ]);
         };
 
         settings = {

nixos/boxes/home/routing-common/kea.nix

@@ -55,7 +55,7 @@ in
             }
             {
               name = "domain-search";
-              data = "${domain}, dyn.${domain}";
+              data = "${domain}, dyn.${domain}, ${lib.my.c.colony.domain}, ${lib.my.c.britway.domain}";
               always-send = true;
             }
           ];

nixos/boxes/home/routing-common/radvd.nix

@@ -11,7 +11,7 @@ let
       AdvLinkMTU ${toString prefixes."${name}".mtu};
       prefix ${prefixes."${name}".v6} {};
       RDNSS ${net.cidr.host 1 prefixes."${name}".v6} ${net.cidr.host 2 prefixes."${name}".v6} {};
-      DNSSL ${domain} dyn.${domain} {};
+      DNSSL ${domain} dyn.${domain} ${lib.my.c.colony.domain} ${lib.my.c.britway.domain} {};
      };
   '';
 in