Mon 23 October 2023

Further to my last post where I went away for a few weeks, that away-time featured a power cut at home. Things....did not come back cleanly, and required intervention to come back -- not least of which was DNS. Because of course.

My setup had been running DNS locally for the local zone, including delegating to consul for where nomad jobs are. So, I looked into getting rid of this -- being able to use any resolver to resolve things at home would be nice, and being able to just hand out an external resolver to most clients will also be good. I have redundant internet connections at home, so I'm going to explicitly make it so not being able to reach external resolvers is the falure mode, rather than recovering from a power cut :-)

Thankfully, the major cloud providers will...provide. Google Cloud DNS costs pennies a month and you can talk to it over an API, so I started fiddling around with that.

I'd been kind of looking around for yet another excuse to learn go, so I've made clouddns-sync to do the heavy lifting. It's still pretty janky and needs tests, but it works, for now.

The probably more useful parts for other people is the clouddns-sync getzonefile and clouddns-sync putzonefile fnctionality - I used this for getting my existing zone into Cloud DNS. It probably doesn't produce or consume all kinds of zone file fragments, but in my defense, it's DNS. Show me software that does.

The more me-specific part is updating records for nomad jobs -- I can do this one-off with clouddns-sync nomad_sync -- which does a one-off poll of where jobs and allocs are in a local nomad cluster, and then updates a zone in cloud DNS. I'll likely cron it for now and then see if I can do something smarter with running it in nomad itself and useing channels and proper montoring and all the good stuff you're meant to do.

All that's then left is delegating zones to gcloud's resolvers, and blowing away my local resolvers once I'm hapy with that. There's probably a paranoid concern about leaking where things are running on my local (i.e. rfc1918) network, but gcloud doesn't allow full zone transfers, and I'd imagine that's lower on my list of worries once someone's popped my home network.

Category: Tech Tagged: log #worksonmycluster tech