From 5d82e27ba40d75c061e2142fc912e585c1f27035 Mon Sep 17 00:00:00 2001
From: Kyle Isom <kyle@imap.cc>
Date: Fri, 3 Apr 2026 09:30:09 -0700
Subject: [PATCH] Add fallback DNS resolvers to all nodes

All nodes now list 1.1.1.1 and 8.8.8.8 as fallback nameservers after
MCNS. When MCNS is down, internal names (.svc.mcp.metacircular.net)
fail but external DNS (google.com, github.com, etc.) keeps working.

Lesson from 2026-04-03 incident: without fallbacks, MCNS failure
caused total DNS blackout including external services, forcing
Tailscale to be disabled to restore any DNS resolution.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 hw/orion/default.nix      |  4 ++--
 hw/rift/default.nix       |  4 ++--
 hw/straylight/default.nix |  6 +++---
 hw/vade/default.nix       | 14 +++++++++-----
 4 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/hw/orion/default.nix b/hw/orion/default.nix
index 1abcaa3..384f250 100644
--- a/hw/orion/default.nix
+++ b/hw/orion/default.nix
@@ -17,8 +17,8 @@
     networking.firewall.allowedTCPPorts = [ 53 443 8443 9443 8080 9090 ];
     networking.firewall.allowedUDPPorts = [ 53 ];
 
-    # Route internal Metacircular zones to rift's own CoreDNS.
-    networking.nameservers = [ "192.168.88.181" "100.95.252.120" ];
+    # DNS: MCNS for internal zones, public resolvers as fallback.
+    networking.nameservers = [ "192.168.88.181" "100.95.252.120" "1.1.1.1" "8.8.8.8" ];
     services.resolved.domains = [ "~mcp.metacircular.net" ];
   };
 
diff --git a/hw/rift/default.nix b/hw/rift/default.nix
index 3e64b62..8a5f6e0 100644
--- a/hw/rift/default.nix
+++ b/hw/rift/default.nix
@@ -22,8 +22,8 @@
     networking.firewall.allowedTCPPorts = [ 53 443 8443 9443 8080 9090 ];
     networking.firewall.allowedUDPPorts = [ 53 ];
 
-    # Route internal Metacircular zones to rift's own CoreDNS.
-    networking.nameservers = [ "192.168.88.181" ];
+    # DNS: MCNS for internal zones, public resolvers as fallback.
+    networking.nameservers = [ "192.168.88.181" "1.1.1.1" "8.8.8.8" ];
     services.resolved.domains = [ "~mcp.metacircular.net" ];
   };
 }
diff --git a/hw/straylight/default.nix b/hw/straylight/default.nix
index b7214f0..7a44f76 100644
--- a/hw/straylight/default.nix
+++ b/hw/straylight/default.nix
@@ -7,12 +7,12 @@
     ../../configs/mcpkg.nix
   ];
 
-  # Route internal Metacircular zones to rift's CoreDNS (MCNS precursor).
-  # Uses systemd-resolved domain routing so rift handles only *.mcp.metacircular.net
-  # while DHCP/Tailscale DNS handles everything else.
+  # DNS: MCNS for internal zones, public resolvers as fallback.
   networking.nameservers = [
     "192.168.88.181"
     "100.95.252.120"
+    "1.1.1.1"
+    "8.8.8.8"
   ];
   services.resolved.domains = [
     "~mcp.metacircular.net"
diff --git a/hw/vade/default.nix b/hw/vade/default.nix
index 8d48da2..d79781c 100644
--- a/hw/vade/default.nix
+++ b/hw/vade/default.nix
@@ -44,12 +44,16 @@
   # which hijacks all DNS queries through systemd-resolved.
   services.tailscale.extraUpFlags = ["--accept-dns=false"];
 
-  # Route internal Metacircular zones to rift's CoreDNS (MCNS precursor).
-  # Uses systemd-resolved domain routing so rift handles only *.mcp.metacircular.net
-  # while DHCP/Tailscale DNS handles everything else.
+  # DNS: MCNS for internal zones, public resolvers as fallback.
+  # When MCNS is down, internal names (.svc.mcp.metacircular.net) fail
+  # but external DNS keeps working via 1.1.1.1/8.8.8.8.
+  # Lesson from 2026-04-03 incident: without fallbacks, MCNS failure
+  # causes total DNS blackout including external services.
   networking.nameservers = [
-    "192.168.88.181"
-    "100.95.252.120"
+    "192.168.88.181"    # MCNS (LAN)
+    "100.95.252.120"    # MCNS (Tailnet)
+    "1.1.1.1"           # Cloudflare (fallback)
+    "8.8.8.8"           # Google (fallback)
   ];
   services.resolved.domains = [
     "~mcp.metacircular.net"