Forward queries to correct servers for delegated domains (#187)

* rules * rules * rules * rules * remove outgoing ip for now * no ipv6 * deploy * deploy * auth stub * clean
nycmeshnet · Jan 31, 2025 · e0ace50 · e0ace50
1 parent 555191f
commit e0ace50
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 4 deletions.
diff --git a/infra/ansible/roles/knot_recursive/templates/kresd.conf.j2 b/infra/ansible/roles/knot_recursive/templates/kresd.conf.j2
@@ -14,9 +14,13 @@ net.listen('{{ EXTERNAL_LISTEN_IP }}', 53, { kind = 'dns' })
 net.listen('{{ EXTERNAL_LISTEN_IP }}', 443, { kind = 'doh2' })
 {% endif %}
 
+-- No ipv6
+net.ipv6 = false
+
 {% if EXTERNAL_OUTGOING_IP != "" %}
 -- EXTERNAL_OUTGOING_IP
-net.outgoing_v4('{{ EXTERNAL_OUTGOING_IP }}')
+-- Not until things are sorted out with the delegated subdomains, but keep the IPs
+--net.outgoing_v4('{{ EXTERNAL_OUTGOING_IP }}')
 {% endif %}
 
 -- Load useful modules
@@ -36,6 +40,31 @@ nsid.name('{{ SERVER_HOSTNAME }}')
 net.tls("/etc/knot-resolver/server-cert.pem", "/etc/knot-resolver/server-key.pem")
 {% endif %}
 
+-- Subdomains delegated outside of "this" server from within the mesh
+view:addr('10.0.0.0/8', policy.suffix(policy.STUB('10.70.90.174'), policy.todnames({'em.mesh.', 'em.mesh.nycmesh.net.'})))
+view:addr('23.158.16.0/24', policy.suffix(policy.STUB('10.70.90.174'), policy.todnames({'em.mesh.', 'em.mesh.nycmesh.net.'})))
+view:addr('199.167.59.0/24', policy.suffix(policy.STUB('10.70.90.174'), policy.todnames({'em.mesh.', 'em.mesh.nycmesh.net.'})))
+view:addr('199.170.132.0/24', policy.suffix(policy.STUB('10.70.90.174'), policy.todnames({'em.mesh.', 'em.mesh.nycmesh.net.'})))
+view:addr('208.68.5.0/24', policy.suffix(policy.STUB('10.70.90.174'), policy.todnames({'em.mesh.', 'em.mesh.nycmesh.net.'})))
+
+view:addr('10.0.0.0/8', policy.suffix(policy.STUB('10.70.132.1'), policy.todnames({'zrg.mesh.', 'zrg.mesh.nycmesh.net.', 'n363.mesh.', 'n363.mesh.nycmesh.net.'})))
+view:addr('23.158.16.0/24', policy.suffix(policy.STUB('10.70.132.1'), policy.todnames({'zrg.mesh.', 'zrg.mesh.nycmesh.net.', 'n363.mesh.', 'n363.mesh.nycmesh.net.'})))
+view:addr('199.167.59.0/24', policy.suffix(policy.STUB('10.70.132.1'), policy.todnames({'zrg.mesh.', 'zrg.mesh.nycmesh.net.', 'n363.mesh.', 'n363.mesh.nycmesh.net.'})))
+view:addr('199.170.132.0/24', policy.suffix(policy.STUB('10.70.132.1'), policy.todnames({'zrg.mesh.', 'zrg.mesh.nycmesh.net.', 'n363.mesh.', 'n363.mesh.nycmesh.net.'})))
+view:addr('208.68.5.0/24', policy.suffix(policy.STUB('10.70.132.1'), policy.todnames({'zrg.mesh.', 'zrg.mesh.nycmesh.net.', 'n363.mesh.', 'n363.mesh.nycmesh.net.'})))
+
+view:addr('10.0.0.0/8', policy.suffix(policy.STUB('199.170.132.101'), policy.todnames({'daniel.mesh.', 'daniel.mesh.nycmesh.net.'})))
+view:addr('23.158.16.0/24', policy.suffix(policy.STUB('199.170.132.101'), policy.todnames({'daniel.mesh.', 'daniel.mesh.nycmesh.net.'})))
+view:addr('199.167.59.0/24', policy.suffix(policy.STUB('199.170.132.101'), policy.todnames({'daniel.mesh.', 'daniel.mesh.nycmesh.net.'})))
+view:addr('199.170.132.0/24', policy.suffix(policy.STUB('199.170.132.101'), policy.todnames({'daniel.mesh.', 'daniel.mesh.nycmesh.net.'})))
+view:addr('208.68.5.0/24', policy.suffix(policy.STUB('199.170.132.101'), policy.todnames({'daniel.mesh.', 'daniel.mesh.nycmesh.net.'})))
+
+view:addr('10.0.0.0/8', policy.suffix(policy.STUB('54.161.165.190'), policy.todnames({'andrew.mesh.', 'andrew.mesh.nycmesh.net.'})))
+view:addr('23.158.16.0/24', policy.suffix(policy.STUB('54.161.165.190'), policy.todnames({'andrew.mesh.', 'andrew.mesh.nycmesh.net.'})))
+view:addr('199.167.59.0/24', policy.suffix(policy.STUB('54.161.165.190'), policy.todnames({'andrew.mesh.', 'andrew.mesh.nycmesh.net.'})))
+view:addr('199.170.132.0/24', policy.suffix(policy.STUB('54.161.165.190'), policy.todnames({'andrew.mesh.', 'andrew.mesh.nycmesh.net.'})))
+view:addr('208.68.5.0/24', policy.suffix(policy.STUB('54.161.165.190'), policy.todnames({'andrew.mesh.', 'andrew.mesh.nycmesh.net.'})))
+
 -- Mesh from mesh
 view:addr('10.0.0.0/8', policy.suffix(policy.STUB('{{ MESH_STUB_RESOLVER }}'), policy.todnames({'mesh.', 'mesh.nycmesh.net.'})))
 view:addr('23.158.16.0/24', policy.suffix(policy.STUB('{{ MESH_STUB_RESOLVER }}'), policy.todnames({'mesh.', 'mesh.nycmesh.net.'})))

diff --git a/infra/terraform/dev_jon.tfvars b/infra/terraform/dev_jon.tfvars
@@ -35,4 +35,4 @@ recursive_cores                 = 4
 recursive_sockets               = 1
 recursive_memory                = 4096
 enable_doh                      = ""
-#mesh_stub_resolver              = "23.158.16.23"
+mesh_stub_resolver              = "23.158.16.23"
diff --git a/infra/terraform/prod_sn10.tfvars b/infra/terraform/prod_sn10.tfvars
@@ -45,4 +45,4 @@ recursive_cores                 = 5
 recursive_sockets               = 1
 recursive_memory                = 4096
 enable_doh                      = "enable"
-#mesh_stub_resolver              = "199.170.132.47"
+mesh_stub_resolver              = "199.170.132.47"
diff --git a/infra/terraform/prod_sn3.tfvars b/infra/terraform/prod_sn3.tfvars
@@ -45,4 +45,4 @@ recursive_cores                 = 5
 recursive_sockets               = 1
 recursive_memory                = 4096
 enable_doh                      = "enable"
-#mesh_stub_resolver              = "23.158.16.23"
+mesh_stub_resolver              = "23.158.16.23"