kyle/imladris
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add fallback DNS resolvers to all nodes

Browse Source 
All nodes now list 1.1.1.1 and 8.8.8.8 as fallback nameservers after
MCNS. When MCNS is down, internal names (.svc.mcp.metacircular.net)
fail but external DNS (google.com, github.com, etc.) keeps working.

Lesson from 2026-04-03 incident: without fallbacks, MCNS failure
caused total DNS blackout including external services, forcing
Tailscale to be disabled to restore any DNS resolution.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Kyle Isom
2026-04-03 09:30:09 -07:00
parent 5a381d314e
commit 5d82e27ba4
4 changed files with 16 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
hw/orion/default.nix
View File

@@ -17,8 +17,8 @@
networking.firewall.allowedTCPPorts = [ 53 443 8443 9443 8080 9090 ]; networking.firewall.allowedTCPPorts = [ 53 443 8443 9443 8080 9090 ];
networking.firewall.allowedUDPPorts = [ 53 ]; networking.firewall.allowedUDPPorts = [ 53 ];
# Route internal Metacircular zones to rift's own CoreDNS. # DNS: MCNS for internal zones, public resolvers as fallback.
networking.nameservers = [ "192.168.88.181" "100.95.252.120" ]; networking.nameservers = [ "192.168.88.181" "100.95.252.120" "1.1.1.1" "8.8.8.8" ];
services.resolved.domains = [ "~mcp.metacircular.net" ]; services.resolved.domains = [ "~mcp.metacircular.net" ];
}; };

4
hw/rift/default.nix
View File

@@ -22,8 +22,8 @@
networking.firewall.allowedTCPPorts = [ 53 443 8443 9443 8080 9090 ]; networking.firewall.allowedTCPPorts = [ 53 443 8443 9443 8080 9090 ];
networking.firewall.allowedUDPPorts = [ 53 ]; networking.firewall.allowedUDPPorts = [ 53 ];
# Route internal Metacircular zones to rift's own CoreDNS. # DNS: MCNS for internal zones, public resolvers as fallback.
networking.nameservers = [ "192.168.88.181" ]; networking.nameservers = [ "192.168.88.181" "1.1.1.1" "8.8.8.8" ];
services.resolved.domains = [ "~mcp.metacircular.net" ]; services.resolved.domains = [ "~mcp.metacircular.net" ];
}; };
} }

6
hw/straylight/default.nix
View File

@@ -7,12 +7,12 @@
../../configs/mcpkg.nix ../../configs/mcpkg.nix
]; ];
# Route internal Metacircular zones to rift's CoreDNS (MCNS precursor). # DNS: MCNS for internal zones, public resolvers as fallback.
# Uses systemd-resolved domain routing so rift handles only *.mcp.metacircular.net
# while DHCP/Tailscale DNS handles everything else.
networking.nameservers = [ networking.nameservers = [
"192.168.88.181" "192.168.88.181"
"100.95.252.120" "100.95.252.120"
"1.1.1.1"
"8.8.8.8"
]; ];
services.resolved.domains = [ services.resolved.domains = [
"~mcp.metacircular.net" "~mcp.metacircular.net"

14
hw/vade/default.nix
View File

@@ -44,12 +44,16 @@
# which hijacks all DNS queries through systemd-resolved. # which hijacks all DNS queries through systemd-resolved.
services.tailscale.extraUpFlags = ["--accept-dns=false"]; services.tailscale.extraUpFlags = ["--accept-dns=false"];
# Route internal Metacircular zones to rift's CoreDNS (MCNS precursor). # DNS: MCNS for internal zones, public resolvers as fallback.
# Uses systemd-resolved domain routing so rift handles only *.mcp.metacircular.net # When MCNS is down, internal names (.svc.mcp.metacircular.net) fail
# while DHCP/Tailscale DNS handles everything else. # but external DNS keeps working via 1.1.1.1/8.8.8.8.
# Lesson from 2026-04-03 incident: without fallbacks, MCNS failure
# causes total DNS blackout including external services.
networking.nameservers = [ networking.nameservers = [
"192.168.88.181" "192.168.88.181" # MCNS (LAN)
"100.95.252.120" "100.95.252.120" # MCNS (Tailnet)
"1.1.1.1" # Cloudflare (fallback)
"8.8.8.8" # Google (fallback)
]; ];
services.resolved.domains = [ services.resolved.domains = [
"~mcp.metacircular.net" "~mcp.metacircular.net"