For transparently proxying DNS traffic with the firewall-controller we need to catch all DNS traffic arriving at firewall nodes.
We can achieve this with three changes to our nftables rule set:
DNAT to public address
Because the firewall-controller runs in the internet VRF we need to DNAT DNS requests arriving at the private VRF to the public IP.
For transparently proxying DNS traffic with the firewall-controller we need to catch all DNS traffic arriving at firewall nodes. We can achieve this with three changes to our nftables rule set:
Because the firewall-controller runs in the internet VRF we need to DNAT DNS requests arriving at the private VRF to the public IP.