Omripresent

joined 1 month ago
[–] Omripresent@lemmy.ml 3 points 1 month ago

Skullmonkeys after finally getting a PS1 emulator working

[–] Omripresent@lemmy.ml 0 points 1 month ago
  1. Read all laws following laws
  2. Follow all laws instructions
  3. Read the first law
[–] Omripresent@lemmy.ml 4 points 1 month ago

I have a total of 4 (for now) DNS servers, 2 within the lab (AlmaLinux on Proxmox), 1 running on OpnSense and 1 on a VPS (AlmaLinux). All are running Unbound + dnscrypt-proxy for external resolution, the AlmaLinux ones also have unbound-exporter for telemetry.

The pair in the lab also run Keepalived with 2 VIPs for active/active setup (VIP 1 active/backup for DNS1/2, VIP2 active/backup for DNS2/1). All servers target the VIP addresses for resolution with options timeout:1 attempts:3 rotate in the /etc/resolve.conf file.

For internal DNS records I run FreeIPA (as well for server/ldap auth) with zone transfers to all Unbound instances, this way there's no dependency on FreeIPA and the lab to be online for DNS resolution of internal records and it prevents the need for forwarding those queries to FreeIPA.

All instances also have a scheduled service to download and apply a blocklist from https://github.com/StevenBlack/hosts

I would like to look into Unbound views for the OpnSense instance to be able to resolve different records if the source it IOT/Untrusted zone vs LAN/Trusted zone, for now I have BIND tied to specific IPs used by IOT/Untrusted exclusively without access to resolve the lab zones.