!tCyGickeVqkHsYjWnh:nixos.org

NixOS Networking

900 Members
Declaratively manage your switching, routing, wireless, tunneling and more.262 Servers

Load older messages

SenderMessageTime
12 Sep 2025
@magic_rb:matrix.redalder.orgmagic_rb You can enable mDNS in systemd-resolved and then nginx should use that. 13:37:49
@jassu:kumma.juttu.asiaJassukoI have that kind of setup somewhere. There's some shitty behaviors with the systemd-resolved mdns implementation relating to IPv6, but I don't remember what exactly was the pain point with that. It was something they specifically defined to do wrong and not care about, if I remember correctly.13:40:36
@jassu:kumma.juttu.asiaJassuko

I had this on one laptop where I absolutely needed to use network damager for managing WiFi due to reasons. Thus, the rather weird config on that.

   # Enable Network Manager for WiFi networking
   networking.networkmanager = {
     enable = true;
     connectionConfig."connection.mdns" = 2;
     dns = "systemd-resolved";
     # firewallBackend = "nftables"; ## Deprecated
   };
   networking.resolvconf.dnsSingleRequest = true;
   services.resolved = {
     enable = true;
     llmnr = "false";
     fallbackDns = [
 #      "8.8.8.8"
 #      "2001:4860:4860::8888"
       "1.1.1.1#cloudflare-dns.com"
       "1.0.0.1#cloudflare-dns.com"
       "2606:4700:4700::1111#cloudflare-dns.com"
       "2606:4700:4700::1001#cloudflare-dns.com"
     ];
     extraConfig = ''
         MulticastDNS=yes
         Cache=no-negative
       DNSOverTLS=opportunistic
       DNSStubListenerExtra=::53
     '';
   };
13:44:51
@jassu:kumma.juttu.asiaJassuko

Firewall needs to be handled as well, like:

   # Open ports in the firewall.
   networking.nftables.enable = config.networking.firewall.enable || false ;
   networking.firewall = {
     enable = false;
     allowedTCPPorts = [
       "22"
     ];
     allowedUDPPorts = [
       ""
     ];
     extraInputRules = ''
       ip6 daddr ff02::fb/128 udp sport 5353 dport 5353 accept
       ip daddr 224.0.0.251 udp sport 5353 dport 5353 accept
     '';
   };
13:45:31
@jassu:kumma.juttu.asiaJassukoso systemd-networkd is used to manage all other network things except WiFi, and systemd-resolved is used for all DNS lookups13:47:47
@toonn:matrix.orgtoonn Oh, you know what, I think I remember what the problem with systemd-resolved is in my case. It doesn't allow for subdomains of .local! 13:51:57
@k900:0upti.meK900That's out of spec13:52:15
@jassu:kumma.juttu.asiaJassuko

/etc/nsswitch.conf might or might not need adjusting as well for the hosts: -line. Namely, the resolve needs to be there correctly at the correct place depending on your other setup:

hosts:     mymachines resolve [!UNAVAIL=return] files myhostname dns
13:52:23
@toonn:matrix.orgtoonn Yep, and working well for me : ) 13:52:26
@toonn:matrix.orgtoonn I really don't see a good reason for it to be out of spec, it's just an arbitrary decision AFAICT. 13:53:07
@jassu:kumma.juttu.asiaJassukoAhh. Well, that is a use case I have not had. :D13:53:13
@magic_rb:matrix.redalder.orgmagic_rb Does the spec restrict valid TLDs? .local is very very common 13:57:29
@toonn:matrix.orgtoonn I think the spec requires .local actually. 13:57:51
@k900:0upti.meK900No, but the mDNS spec does not allow multiple parts in the domain name13:58:17
@k900:0upti.meK900It does require .local13:58:36
@k900:0upti.meK900But foo.bar.local is not allow13:58:42
@k900:0upti.meK900* But foo.bar.local is not allowed13:58:45
@k900:0upti.meK900Only foo.local13:58:48
@magic_rb:matrix.redalder.orgmagic_rbOh, so no subdomains13:59:14
@magic_rb:matrix.redalder.orgmagic_rbWeird13:59:16
@toonn:matrix.orgtoonn I assume it's because some printer's implementation somewhere splits on the first `.` and then proceeds to freak out. 13:59:56
@k900:0upti.meK900No, it's because14:01:21
@jassu:kumma.juttu.asiaJassukoNot weird, really. The .local thingy is intended for host discovery on local network by name. And the hostname is by definition the last part of the fqdn. :p 14:01:24
@k900:0upti.meK900 


   Most computer users neglect to type the trailing dot at the end of a
   fully qualified domain name, making it a relative domain name (e.g.,
   "www.example.com").  In the event of network outage, attempts to
   positively resolve the name as entered will fail, resulting in
   application of the search list, including ".local.", if present.  A
   malicious host could masquerade as "www.example.com." by answering
   the resulting Multicast DNS query for "www.example.com.local.".  To
   avoid this, a host MUST NOT append the search suffix ".local.", if
   present, to any relative (partially qualified) host name containing
   two or more labels.  Appending ".local." to single-label relative
   host names is acceptable, since the user should have no expectation
   that a single-label host name will resolve as is.  However, users who
   have both "example.com" and "local" in their search lists should be
   aware that if they type "www" into their web browser, it may not be
   immediately clear to them whether the page that appears is
   "www.example.com" or "www.local".
14:01:26
@magic_rb:matrix.redalder.orgmagic_rbAaaah DNS is cursef14:03:19
@k900:0upti.meK900Technically not really an issue anymore in many ways because browsers ship the public suffix list14:03:41
@k900:0upti.meK900And can consult it and avoid this kind of nonsense14:03:47
@k900:0upti.meK900But it was a concern at the time of writing the RFC and it was never updated since14:04:01
@jassu:kumma.juttu.asiaJassukoPublic Suffix List is problematic as well. :D14:04:39
@k900:0upti.meK900In other ways, yes14:05:02

Show newer messages

Back to Room ListRoom Version: 6