counterweight/superhog-infra-repo
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

dns configuration

Browse source
This commit is contained in:
Pablo Martin 2024-02-09 11:36:33 +01:00
parent 420a17837b
commit d49b310826
1 changed files with 55 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

59
human-script.md
View file

@ -315,13 +315,64 @@ Follow this to deploy the entire data infra.
- Next, we must allow IP forwarding on Azure. - Next, we must allow IP forwarding on Azure.
- Look for the jumphost VM Network Interface. - Look for the jumphost VM Network Interface.
- In the `IP configurations` session, activate the flag `Enable IP forwarding`. - In the `IP configurations` session, activate the flag `Enable IP forwarding`.
- #TODO
- Allowing ip4 forward on network interface of jumphost in Azure
-
### 3.3 Configure a DNS Server ### 3.3 Configure a DNS Server
- The jumphost is now ready. When the VPN is active on our local device, we can access the services within the virtual network.
- There is one issue, though: we would like to access services through names, not IPs.
- Our Private DNS Zone takes care of providing names to services within the virtual network. But these resolution only happens within the virtual network itself, so our external device can't rely on it.
- To solve this, we need to force DNS resolution of our laptops to happen from within the virtual network itself.
- To do so, we will set up a DNS server in the jumphost, and set up our VPN configuration to use it when the VPN connection in our device is active.
- Connect to the jumphost through SSH
- Run the following script as `sudo` from the home folder of `azureuser`
```bash
echo "Installing dependencies."
apt install dpkg-dev debhelper jq -y
echo "Cloning coredns."
git clone https://github.com/coredns/deployment.git coredns/deployment
cd coredns/deployment
echo "Building package."
dpkg-buildpackage -us -uc -b
cd ..
echo "Installing package."
dpkg -i coredns*.deb
echo "Disabling Stub resolver."
sed -i -e 's/#DNSStubListener=yes/DNSStubListener=no/g' /etc/systemd/resolved.conf
systemctl restart systemd-resolved
echo "Writing config file".
rm /etc/coredns/Corefile
cat > /etc/coredns/Corefile << EOL
. {
hosts {
log
# If you want to make custom mappings, place them here
# Format is
# xxx.xxx.xxx.xxx your.domain.name
# By default, we delegate on Azure
fallthrough
}
forward . 168.63.129.16 # This IP is Azure's DNS service
errors
}
EOL
echo "Restarting coredns to pick up new config."
systemctl restart coredns.service
```
- In your client Wireguard configuration, uncomment the DNS server line we left before
- Check that the service is running fine by running `dig google.com`. You should see in the output that your laptop has relied on our new DNS to do the name resolution.
### 3.4 Harden the VM ### 3.4 Harden the VM
- First, remove the AllowSSHInboundTemporarily rule that you added - First, remove the AllowSSHInboundTemporarily rule that you added