Categories: IT

Adding DNS to Nebula

Table of Contents

Following up my previous post on nebula and the two big things that were outstanding were getting DNS over nebula and setting the default route through nebula, Well now I have figured out the DNS side and will be sharing that with you today.

Update 15/08/2023

Due to changes in systemd-networkd the following need to be added, this is reflected in the below examples

KeepConfiguration=yes

What does not work

Now I could just put a DNS server listening on a device connected to nebula but I really wanted to include the built in DNS functionality you can enable in a lighthouse so that I don’t have to remember nebula IP addresses (with being in control of the addressing on all these networks you think I would have aligned all the IP addresses). Also the lighthouse DNS server is only to resolve nodes that have checked into the lighthouse recently so that is only part of the solution I would still like to resolve requests for general DNS.

What will work

So what I want is a DNS server that will bind to the nebula IP address that can forward queries for the nebula nodes to the nebula DNS and everything else gets forwarded upstream this would replace the OpenVPN server nicely. The nebula lighthouse DNS resolves nodes based on the assigned certificate name so we can end each certificate name with something like .nebula so that the general DNS server can forward any query that ends in .nebula to the nebula DNS and everything else upstream to your preferred DNS provider.

What I did

Now I did not have these great plans when I first created my nebula network and I don’t really feel like recreating all mt nebula certificate (even though it won’t take that long), instead I found the handy rewrite feature in CoreDNS so I can change the DNS query before sending it to the nebula DNS so foo.bar.nebula becomes foo.bar (and back to foo.bar.nebula on the way back). And that looks something like this.

nebula.:53 {
        rewrite continue name suffix .nebula. . answer auto
        forward . 127.0.0.1:53
	log
	bind nebula1
}

.:53 {
	forward . 192.168.5.1:53 192.168.5.2:53
	log
	bind nebula1
}

and set the nebula DNS looks like this

lighthouse:
  am_lighthouse: true
  serve_dns: true
  dns:
    host: 127.0.0.1
    port: 53

For my Linux clients I setup my network to point all DNS queries to get sent to the nebula DNS server, here is an example using systemd’s networkd.

[bloominstrong@strongbox ~]$ cat /etc/systemd/network/20-nebula.network
[Match]
Name=nebula*

[Network]
DNS=10.51.0.5
KeepConfiguration=yes
Domains=~nebula

Alternatively I could send all DNS queries to the nebula DNS server

[bloominstrong@strongbox ~]$ cat /etc/systemd/network/20-nebula.network
[Match]
Name=nebula*

[Network]
DNS=10.51.0.5
KeepConfiguration=yes
Domains=~.

And that is pretty it (I have saved you my struggles with SELinux and systemd as that is not super relevant here), If I ever have the need to get this working on Windows(and have success) I will update the post to include that.