From c0a18c9c5786c8b51a1196ce2f882996674f5e3c Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Sun, 15 Feb 2026 21:51:12 +0000
Subject: [PATCH] [ci skip] Manage CoreDNS Corefile in Terraform and block junk
 NxDomain queries

Add kubernetes_config_map for CoreDNS to the technitium module, with a
template block for cluster.local.viktorbarzin.lan that returns NXDOMAIN
immediately. This prevents ndots:5 search domain expansion from flooding
Technitium with ~66k/day junk queries (e.g.
redis.redis.svc.cluster.local.viktorbarzin.lan).

Also enabled saveCache on Technitium so the DNS cache persists across
pod restarts.
---
 modules/kubernetes/technitium/main.tf | 59 +++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)

diff --git a/modules/kubernetes/technitium/main.tf b/modules/kubernetes/technitium/main.tf
index 57b37d5e..804476c4 100644
--- a/modules/kubernetes/technitium/main.tf
+++ b/modules/kubernetes/technitium/main.tf
@@ -18,6 +18,65 @@ module "tls_secret" {
   tls_secret_name = var.tls_secret_name
 }
 
+# CoreDNS Corefile - manages cluster DNS resolution
+# The viktorbarzin.lan block forwards to Technitium via NodePort.
+# The cluster.local.viktorbarzin.lan block short-circuits junk queries caused by
+# ndots:5 search domain expansion (e.g. redis.redis.svc.cluster.local.viktorbarzin.lan)
+# which would otherwise flood Technitium with NxDomain queries.
+resource "kubernetes_config_map" "coredns" {
+  metadata {
+    name      = "coredns"
+    namespace = "kube-system"
+  }
+
+  data = {
+    Corefile = <<-EOF
+      .:53 {
+        #log
+          errors
+          health {
+              lameduck 5s
+          }
+          ready
+          kubernetes cluster.local in-addr.arpa ip6.arpa {
+              pods insecure
+              fallthrough in-addr.arpa ip6.arpa
+              ttl 30
+          }
+          prometheus :9153
+          #forward . 1.1.1.1
+          forward . 10.0.20.1
+          #forward . /etc/resolv.conf
+          cache {
+            success 10000 300 6
+            denial 10000 300 60
+          }
+          loop
+          reload
+          loadbalance
+      }
+      cluster.local.viktorbarzin.lan:53 {
+        errors
+        template ANY ANY {
+          rcode NXDOMAIN
+        }
+        cache {
+          denial 10000 3600
+        }
+      }
+      viktorbarzin.lan:53 {
+        #log
+        errors
+        forward . 10.0.20.101:30053 # Technitium NodePort
+        cache {
+          success 10000 300 6
+          denial 10000 300 60
+        }
+      }
+    EOF
+  }
+}
+
 resource "kubernetes_deployment" "technitium" {
   # resource "kubernetes_daemonset" "technitium" {
   metadata {