search

monogon-dev / monogon

The Monogon Monorepo. May contain traces of peanuts and a ✨pure Go Linux userland✨. Work in progress!
https://monogon.tech
Apache License 2.0
378 stars 9 forks source link

metropolis: don't run DNS resolver on :53 #217

Closed q3k closed 1 year ago

q3k commented 1 year ago

Currently we're running CoreDNS on all interfaces, including the public one, and we serve all traffic there, including ANY google.com. This isn't great.

Either ACL this and ideally don't run it on the public interface.

q3k commented 1 year ago

https://review.monogon.dev/c/monogon/+/1759

lorenz commented 1 year ago

This was mostly working, but sadly flaky. CoreDNS's reloads are broken and end up in a state where it does no longer serve requests because the listener FDs got messed up. Me and @fionera were trying to steal their plugins, which does somewhat work, but they expect data in contexts and some plugins are not properly reloadable themselves so this is not a shot-term solution. I decided to work around this by hardcoding the listeners for the time being.