RachelI want to try out unbound as a recursive resolver. However, I don't want edge node DNS requests coming from other locations.
Solution: unbound as a daemonset, with a
internalTrafficPolicy: Local serviceProblem 1:
I want to try out unbound as a recursive resolver. However, I don't want edge node DNS requests coming from other locations.
Solution: unbound as a daemonset, with a
I want to try out unbound as a recursive resolver. However, I don't want edge node DNS requests coming from other locations.
Solution: unbound as a daemonset, with a
Problem 2:
Some services actually do need unrestricted DNS access, such as a fedi instance. However, that also allows them to map the local network via DNS requests.
Solution: create a CoreDNS instance for each of those namespaces that explicitly allows only the required local services plus external services. I'd need 2-3 of these tops, and they would use their node-local unbound as an upstream.
Adguard-dns would also use a node-local unbound when serving end user DNS requests.
Some services actually do need unrestricted DNS access, such as a fedi instance. However, that also allows them to map the local network via DNS requests.
Solution: create a CoreDNS instance for each of those namespaces that explicitly allows only the required local services plus external services. I'd need 2-3 of these tops, and they would use their node-local unbound as an upstream.
Adguard-dns would also use a node-local unbound when serving end user DNS requests.
I Thought I Saw A 2 
@rachel sure. That way it can be DNS but you won't know which one
@ithoughtisawa2 I have a dashboard that lists all the containers making disallowed DNS requests, and failed DNS requests, all but a small handful have a short list of specifically allowed DNS requests, and it lists which DNS instance the request was made to, kinda happy with how it turned out tbh
Homeassistant has one of the longest lists currently
Homeassistant has one of the longest lists currently
James Wynn 🧐