Lumpiasty/klaster
0
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity
Files
d3a067886e21a6bf2d4cef1ac74a9d6be98c6ab4
klaster/mikrotik/coredns/Corefile
T
Lumpiasty d3a067886e
ci/woodpecker/push/flux-reconcile-source Pipeline was successful
Details
ci/woodpecker/push/coredns-build Pipeline was successful
Details
ci/woodpecker/cron/renovate Pipeline was successful
Details
coredns: fix ENOTFOUND for own zone, enable dns64 for IPv4 clients 
Two Corefile changes:
- Add lumpiasty.xyz server block without dns64. Replaces the manual
  RouterOS static FWD entry (\"bypass nat64\") which returned NOERROR
  with empty answer instead of relaying NXDOMAIN. Combined with
  ndots:5 and pod search domains this made getaddrinfo stop at the
  search-suffixed candidate and fail with ENOTFOUND for valid names
  (kaneo -> authentik OAuth fetch failures). CoreDNS relays rcodes
  faithfully; internal zone keeps real AAAA for native IPv6.
- Add allow_ipv4 to dns64 (previously uncommitted): without it only
  queries arriving over IPv6 are synthesized, but all clients reach
  CoreDNS via RouterOS over IPv4, so translate_all never applied.
The RouterOS static FWD entry must be removed after deploying the new
image - ansible already declares only the ts.net entry, so a playbook
run handles it.
2026-06-13 02:45:30 +02:00

41 lines
1.1 KiB
Plaintext
Raw Blame History

# Our own zone bypasses DNS64: internal services have native IPv6 (LB pool
# routed via HE prefix), so clients should get real AAAA records and connect
# directly instead of hairpinning through NAT64.
#
# This MUST live here, not as a RouterOS static FWD entry: RouterOS FWD
# entries return NOERROR with an empty answer instead of relaying NXDOMAIN,
# which breaks getaddrinfo search-domain processing (resolver stops at the
# first NODATA search candidate and never tries the absolute name -> apps
# fail with ENOTFOUND for names that exist).
lumpiasty.xyz:53 {
forward . 1.1.1.1 8.8.8.8 {
prefer_udp
}
cache 300
errors
log
}
.:53 {
# Synthesize AAAA from A records for all destinations.
# translate_all: override real AAAA records too, so all traffic exits
# via NAT64 (our IPv4 WAN) rather than the HE tunnel broker.
# This eliminates datacenter flagging and CAPTCHA loops from HE addresses.
dns64 {
prefix 64:ff9b::/96
translate_all
allow_ipv4
}
forward . 1.1.1.1 8.8.8.8 {
prefer_udp
}
cache 300
errors
log
reload
health :8080
}
Reference in New Issue View Git Blame Copy Permalink