coredns

Go to file

Ryan Malloy 57c8366b7f coredns: document why HE-IP restriction lives at firewall, not CoreDNS

Goal was to restrict AXFR to Hurricane Electric's five secondary
nameserver IPs. Tried several CoreDNS Corefile syntaxes:

  transfer { to 216.218.130.2 ... 216.66.1.2 }       # space-separated
  transfer { to 216.218.130.2 \n to 216.218.131.2 }  # multi-line
  transfer { to 216.218.130.2 }                       # single IP
  transfer { to * 216.218.130.2 ... }                 # mixed

Every form with a specific IPv4 address silently breaks server-block
startup — the auto plugin still loads zones into memory but the
:53/:443/:853 listeners never bind. Reproducible on coredns/coredns
1.11.3 AND 1.12.2 with the (common) snippet + auto + forward shape.
Only `to *` results in healthy listener startup.

Even if we got CoreDNS-side filtering to work, Docker's default
userland-proxy rewrites source IPs to the bridge gateway, which would
break IP-based filtering anyway short of `network_mode: host`.

Decision: keep `to *` in CoreDNS, push HE-only filtering to the
FortiWiFi firewall (source-IP-restricted VIP/DNAT for WAN:53/tcp).
This is correct-layered defense — the perimeter does the IP work
before packets ever reach dell01.

2026-05-16 16:04:44 -06:00

caddy

coredns: production Let's Encrypt cert via Caddy sidecar (DNS-01 + Vultr)

2026-05-14 01:34:57 -06:00

scripts

coredns: hidden-primary architecture with AXFR for HE secondaries

2026-05-16 15:49:42 -06:00

zones

coredns: docker compose stack with Vultr zone import

2026-05-12 01:51:09 -06:00

.env

coredns: rename endpoint dns.l.supported.systems -> dns.supported.systems