Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

2-6: LAB | Custom DNS

This one won’t take long, but it might be useful to see custom DNS at work in a Wireguard deployment.

Lab Setup

We’ve automated away what we need for the Wireguard keys at this point, but there is a new component to this lab: the DNS server! We’re using Unbound as our DNS server, because it’s easy and lightweight.

Have a look at labs/2-6/home-dns/unbound.conf to see what the Unbound configuration looks like. We won’t spend time on it here, since DNS is not our focus. But do note the access-control entries that allow queries from both LAN and Wireguard subnets.

Okay, let’s fire up the lab.

Running the Lab

just up 2-6

Our layout is the same as lab 2-4, with two Zellij panes—the host OS, and the lab containers. In the lab tab, you won’t see the DNS server because no commands need to be run on it; we only need to see its effects.

On the lighthouse, roaming, and home router containers, start the Wireguard tunnel:

wg-quick up lab_2-6

[!INFORMATION] You can use Ctrl + T S to enable “Sync mode” in the Zellij tab and send this command to all four panes/containers at once. The webserver will produce an error because it doesn’t have Wireguard, but that’s fine. Don’t forget to repeat the command to exit Sync.

The purpose of this lab is to demonstrate the DNS configuration for roaming hosts, so let’s focus on our roaming container in the top right.

Start by confirming the DNS configuration. Our Alpine machine has no systemd, so we won’t be doing the resolvectl version. We can still view our nameservers by looking at /etc/resolv.conf.

cat /etc/resolv.conf

You should see 192.168.99.3 as the nameserver! Now bring the Wireguard tunnel down temporarily.

wg-quick down lab_2-6

And re-run the cat command. See? Wireguard is modifying our DNS settings. Bring the tunnel back up.

wg-quick up lab_2-6

Our DNS config should be back to our home DNS server at 192.168.99.3. Let’s put it to the test by accessing our home webserver by domain name.

curl http://webserver.home.lab

If you see a message from your home webserver, we’ve just demonstrated Wireguard-controlled DNS configuration!

Stopping the Lab

Move back to the os-shell tab and run just down 2-6.