coredns

rsp2k/coredns

Fork 0

Commit Graph

Author	SHA1	Message	Date
Ryan Malloy	1ab88a25f7	coredns: hidden-primary architecture with AXFR for HE secondaries Goal: serve the public DNS face via Hurricane Electric's free secondary-DNS service (dns.he.net), with CoreDNS on dell01 acting as the hidden primary. We edit zones here; HE pulls them via AXFR. Changes: - scripts/prepare-zones.sh: * SOA mname: ns1.vultr.com -> ns1.he.net (so the apex SOA reflects HE as the primary in published RDATA) * Strip ns?.vultr.com NS records from each zone and inject the five HE nameservers (ns1..ns5.he.net) as the authoritative NS set - Corefile (shared `common` snippet): * Add `transfer { to * }` to authorize AXFR. Tried specific IPs + `` mixed on the same line but CoreDNS silently fails to bind server blocks with that syntax; bare `to ` is the only form that actually starts the listeners. Trade-off: NOTIFY targeting is lost (HE polls per SOA refresh=3600s instead of being pushed). For DNS data this is fine since each record is publicly queryable anyway. Verified AXFR end-to-end: `dig @dell01 -p 5353 acrazy.org AXFR +tcp` returns 41 records with the new HE NS set and HE-rooted SOA. Still needed (operator action): - Firewall NAT for TCP/53 -> 172.16.1.15:5353 (so HE can connect in) - Add each of the 91 zones at dns.he.net as Secondary DNS pointing at 154.27.180.210 - Update each domain's registrar NS records from Vultr -> HE	2026-05-16 15:49:42 -06:00
Ryan Malloy	10867ee319	coredns: docker compose stack with Vultr zone import - Auto plugin loads zones-prepared/.zone (regex zone-name extraction) - scripts/prepare-zones.sh transforms raw Vultr exports: synthesizes SOA (omitted by Vultr; CoreDNS requires it) * prepends @ to leading-TAB apex lines to disambiguate owner inheritance * dot-terminates NS/MX/CNAME rdata so $ORIGIN doesn't double-suffix - DNS_PORT defaults to 1053 (5353=avahi, 53=libvirt dnsmasq on this host) - Forwards non-authoritative queries to 1.1.1.1/1.0.0.1/9.9.9.9 - Makefile targets: prep, up, down, reload, test, logs - 91 zones loaded	2026-05-12 01:51:09 -06:00

Author

SHA1

Message

Date

Ryan Malloy

1ab88a25f7

coredns: hidden-primary architecture with AXFR for HE secondaries

Goal: serve the public DNS face via Hurricane Electric's free
secondary-DNS service (dns.he.net), with CoreDNS on dell01 acting as
the hidden primary. We edit zones here; HE pulls them via AXFR.

Changes:
- scripts/prepare-zones.sh:
  * SOA mname: ns1.vultr.com -> ns1.he.net (so the apex SOA reflects
    HE as the primary in published RDATA)
  * Strip ns?.vultr.com NS records from each zone and inject the five
    HE nameservers (ns1..ns5.he.net) as the authoritative NS set
- Corefile (shared `common` snippet):
  * Add `transfer { to * }` to authorize AXFR. Tried specific IPs +
    `*` mixed on the same line but CoreDNS silently fails to bind
    server blocks with that syntax; bare `to *` is the only form that
    actually starts the listeners. Trade-off: NOTIFY targeting is lost
    (HE polls per SOA refresh=3600s instead of being pushed). For DNS
    data this is fine since each record is publicly queryable anyway.

Verified AXFR end-to-end: `dig @dell01 -p 5353 acrazy.org AXFR +tcp`
returns 41 records with the new HE NS set and HE-rooted SOA.

Still needed (operator action):
- Firewall NAT for TCP/53 -> 172.16.1.15:5353 (so HE can connect in)
- Add each of the 91 zones at dns.he.net as Secondary DNS pointing
  at 154.27.180.210
- Update each domain's registrar NS records from Vultr -> HE

2026-05-16 15:49:42 -06:00

Ryan Malloy

10867ee319

coredns: docker compose stack with Vultr zone import

- Auto plugin loads zones-prepared/*.zone (regex zone-name extraction)
- scripts/prepare-zones.sh transforms raw Vultr exports:
  * synthesizes SOA (omitted by Vultr; CoreDNS requires it)
  * prepends @ to leading-TAB apex lines to disambiguate owner inheritance
  * dot-terminates NS/MX/CNAME rdata so $ORIGIN doesn't double-suffix
- DNS_PORT defaults to 1053 (5353=avahi, 53=libvirt dnsmasq on this host)
- Forwards non-authoritative queries to 1.1.1.1/1.0.0.1/9.9.9.9
- Makefile targets: prep, up, down, reload, test, logs
- 91 zones loaded

2026-05-12 01:51:09 -06:00

2 Commits