[ci skip] Replace specific CoreDNS catch-all blocks with generic template regex

Single template regex in the viktorbarzin.lan block catches ALL search domain expansion junk (*.com.viktorbarzin.lan, *.cluster.local.viktorbarzin.lan, etc.) instead of needing separate server blocks per pattern. Legitimate single-label queries (idrac.viktorbarzin.lan) fall through to Technitium.
2026-02-16 21:49:03 +00:00 · 2026-02-16 21:49:03 +00:00 · a268b9107f
commit a268b9107f
parent 19136c21f1
1 changed files with 10 additions and 22 deletions
--- a/modules/kubernetes/technitium/main.tf
+++ b/modules/kubernetes/technitium/main.tf
@ -20,10 +20,11 @@ module "tls_secret" {

 # CoreDNS Corefile - manages cluster DNS resolution
 # The viktorbarzin.lan block forwards to Technitium via LoadBalancer.
-# The cluster.local.viktorbarzin.lan and viktorbarzin.lan.viktorbarzin.lan blocks
-# short-circuit junk queries caused by ndots:5 search domain expansion
-# (e.g. redis.redis.svc.cluster.local.viktorbarzin.lan, idrac.viktorbarzin.lan.viktorbarzin.lan)
-# which would otherwise flood Technitium with NxDomain queries.
+# A template regex in the viktorbarzin.lan block short-circuits junk queries
+# caused by ndots:5 search domain expansion (e.g. www.cloudflare.com.viktorbarzin.lan,
+# redis.redis.svc.cluster.local.viktorbarzin.lan) by returning NXDOMAIN for any
+# query with 2+ labels before .viktorbarzin.lan. Legitimate single-label queries
+# (e.g. idrac.viktorbarzin.lan) fall through to Technitium.
 resource "kubernetes_config_map" "coredns" {
  metadata {
    name      = "coredns"
@ -56,27 +57,14 @@ resource "kubernetes_config_map" "coredns" {
          reload
          loadbalance
      }
-      cluster.local.viktorbarzin.lan:53 {
-        errors
-        template ANY ANY {
-          rcode NXDOMAIN
-        }
-        cache {
-          denial 10000 3600
-        }
-      }
-      viktorbarzin.lan.viktorbarzin.lan:53 {
-        errors
-        template ANY ANY {
-          rcode NXDOMAIN
-        }
-        cache {
-          denial 10000 3600
-        }
-      }
      viktorbarzin.lan:53 {
        #log
        errors
+        template ANY ANY viktorbarzin.lan {
+          match ".*\..*\.viktorbarzin\.lan\.$"
+          rcode NXDOMAIN
+          fallthrough
+        }
        forward . 10.0.20.204 # Technitium LoadBalancer
        cache {
          success 10000 300 6