search

r-raymond / nixos-mailserver

A complete and Simple Nixos Mailserver
GNU General Public License v3.0
181 stars 27 forks source link

Own DNS fails due to kresd being enabled. #100

Open infinisil opened 6 years ago

infinisil commented 6 years ago

SNM Version: v2.1.3

Nixos Version: unstable

Relevant part of the config to reproduce:

{
  mailserver.enable = true;
  services.bind.enable = true;
}

What I expected to happen:

Have SNM running and my own bind config with my zones working

What happened:

SNM enables its own DNS (kresd), leading to 2 processes wanting to listen to UDP port 53, one of them bound to fail, in my case bind, so my DNS broke.

This isn't a big deal for me since I use my server for myself pretty much exclusively. But for people with an important DNS this could be really bad.

Relevant journald log (journalctl -u bind):

Mar 10 12:59:38 paul named[2078]: listening on IPv6 interfaces, port 53
Mar 10 12:59:38 paul named[2078]: binding TCP socket: address in use
Mar 10 12:59:38 paul named[2078]: listening on IPv4 interface lo, 127.0.0.1#53
Mar 10 12:59:38 paul named[2078]: binding TCP socket: address in use

Solution proposal

Imo the best way to prevent this is to set localDnsResolver's default so that it's only true when no other DNS service is already enabled.

Another possibility is to add an assertion that checks that only one is enabled.

r-raymond commented 6 years ago

Thanks for the feedback! We should probably also document that this is the default.

phdoerfler commented 6 years ago

I was about to suggest creating a wiki page "Services enabled by default" but I believe this is short enough that it can go in readme.md right at the top. It could double as a feature list of sorts where we list all the preconfigured services and next to it whether they are turned on by default. So basically a nicer to read version of default.nix. That way people can see instantly what they're getting by flipping the switch. How does that sound?

Purely for the sake of completeness there is another option: We could run kresd at a different port, not make it the default nameserver for the system and have only rspamd use it (depends on the rspamd module from 18.03). This way rspamd could have its own private DNS not disturbing anyone else. However I doubt that people want to run two DNS servers side by side. And if I recall correctly other parts of the mailserver (such as postfix) benefit from having a local DNS server, too. So let's not do this.

tokudan commented 6 years ago

kresd also seems to be broken on 17.09: https://github.com/NixOS/nixpkgs/pull/35508