Lumpiasty/klaster
0
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

coredns: fix ENOTFOUND for own zone, enable dns64 for IPv4 clients
ci/woodpecker/push/flux-reconcile-source Pipeline was successful
Details
ci/woodpecker/push/coredns-build Pipeline was successful
Details
ci/woodpecker/cron/renovate Pipeline was successful
Details

Browse Source 
Two Corefile changes:
- Add lumpiasty.xyz server block without dns64. Replaces the manual
  RouterOS static FWD entry (\"bypass nat64\") which returned NOERROR
  with empty answer instead of relaying NXDOMAIN. Combined with
  ndots:5 and pod search domains this made getaddrinfo stop at the
  search-suffixed candidate and fail with ENOTFOUND for valid names
  (kaneo -> authentik OAuth fetch failures). CoreDNS relays rcodes
  faithfully; internal zone keeps real AAAA for native IPv6.
- Add allow_ipv4 to dns64 (previously uncommitted): without it only
  queries arriving over IPv6 are synthesized, but all clients reach
  CoreDNS via RouterOS over IPv4, so translate_all never applied.
The RouterOS static FWD entry must be removed after deploying the new
image - ansible already declares only the ts.net entry, so a playbook
run handles it.
This commit is contained in:
Lumpiasty
2026-06-13 02:19:16 +02:00
parent 33e01376b1
commit d3a067886e
6 changed files with 76 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ansible/roles/routeros/tasks/base.yml
+6 -5
View File
@@ -192,11 +192,12 @@
forward-to: 100.100.100.100
match-subdomain: true
comment: Tailscale MagicDNS
- name: lumpiasty.xyz
type: FWD
forward-to: 1.1.1.1
match-subdomain: true
comment: lumpiasty.xyz bypass nat64
# Do NOT add a lumpiasty.xyz FWD entry here. RouterOS FWD entries return
# NOERROR with an empty answer instead of relaying NXDOMAIN, which breaks
# getaddrinfo search-domain processing (ENOTFOUND for valid names in k8s
# pods). The DNS64 bypass for our own zone lives in the CoreDNS Corefile
# (mikrotik/coredns/Corefile, lumpiasty.xyz server block) which relays
# rcodes correctly. See docs/coredns-nat64.md pitfall #4.
handle_absent_entries: remove
handle_entries_content: remove_as_much_as_possible
ansible/roles/routeros/tasks/containers.yml
+1 -1
View File
@@ -20,7 +20,7 @@
data:
- dst: /var/lib/tailscale
list: tailscale_state
src: tailscale/state
src: /tailscale/state
handle_absent_entries: remove
handle_entries_content: remove_as_much_as_possible
ansible/roles/routeros/tasks/firewall.yml
+14
View File
@@ -72,6 +72,15 @@
comment: Allow Tayga NAT64 pool to internet
out-interface: pppoe-gpon
src-address: 192.168.240.0/20
# IPv6-only clients reaching internal services published on the public IP
# (e.g. authentik.lumpiasty.xyz -> 139.28.40.212 -> dst-nat -> 10.44.0.0/16)
# arrive from the Tayga pool after NAT64 translation. Without this rule
# they fall through to the final reject (hairpin via NAT64).
- action: accept
chain: forward
comment: Allow Tayga NAT64 pool to LoadBalancer (hairpin port forwards)
dst-address: 10.44.0.0/16
src-address: 192.168.240.0/20
- action: jump
chain: forward
comment: Allow port forwards
@@ -446,6 +455,11 @@
comment: Allow from IOT to internet only
in-interface: vlan5
out-interface-list: wan
- action: accept
chain: forward
comment: Allow from SRV to internet via NAT64
in-interface: vlan4
out-interface: nat64
- action: accept
chain: forward
comment: Allow from IOT to internet via NAT64