Closed kusold closed 2 years ago
afeiszli
commented
3 years ago That will work as long as you only have 1 network, but if you're managing multiple you'll need to bind it to all of them. For a quick start, it's easier to have it public.
We have considered, and made plans for, having a wrapper interface so that no calls have to be made publicly, but it was moved a bit lower on the roadmap.
Belphemur
commented
3 years ago As a workaround, CoreDNS recursive resolving could be disabled. This would work as long as the node are on linux since systemd-resolved is configured to only resolve domain name belonging to the network.
afeiszli
commented
2 years ago Still no implementation yet, but should be in place by 1.0 (dependent on Secure Server implementation)
afeiszli
commented
2 years ago DNS can now bind over private interfaces using port forwarding. In the docker compose, set the following:
MANAGE_IPTABLES: "on"
PORT_FORWARD_SERVICES: "dns"DNS will then be reachable via the WireGuard IP of the netmaker server within each network.
I went through the Getting Started directions last night and they suggest exposing CoreDNS to the public. In my limited testing, I didn't see any downside to only exposing CoreDNS to the VPN. I added the COREDNS_IP to my Allowed Ips list for the server, and DNS resolution worked.
Are there other services that we can limit to just the VPN? I'd prefer to only have the required services be public.