From e412395aded75c5447738030bc9b869723b5de92 Mon Sep 17 00:00:00 2001
From: nessi <sascha@nesterovic.cc>
Date: Thu, 19 Mar 2026 22:30:19 +0100
Subject: [PATCH] feat: add bind directive to CoreDNS configuration for
 explicit listen address control

Extract NEXAVPN_VPN_DNS_ADDR environment variable to listenAddr with empty string validation and :53 fallback. Add bind directive to Corefile template using listenAddr variable. Keep zone definition as .:53 for all-domain matching while controlling bind address separately.
---
 deploy/vpn-dns/main.go | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/deploy/vpn-dns/main.go b/deploy/vpn-dns/main.go
index 69010a7..d9e02de 100644
--- a/deploy/vpn-dns/main.go
+++ b/deploy/vpn-dns/main.go
@@ -69,8 +69,13 @@ func writeCorefile() error {
 		return errors.New("no upstream dns servers configured")
 	}
 
-	corefile := fmt.Sprintf(`%s {
+	listenAddr := strings.TrimSpace(envOrDefault("NEXAVPN_VPN_DNS_ADDR", ":53"))
+	if listenAddr == "" {
+		listenAddr = ":53"
+	}
+	corefile := fmt.Sprintf(`.:53 {
     errors
+    bind %s
     hosts ` + overridesPath + ` {
         ttl 30
         reload 15s
@@ -79,7 +84,7 @@ func writeCorefile() error {
     forward . %s
     cache 30
 }
-`, envOrDefault("NEXAVPN_VPN_DNS_ADDR", ":53"), strings.Join(upstreams, " "))
+`, listenAddr, strings.Join(upstreams, " "))
 
 	return os.WriteFile(corefilePath, []byte(corefile), 0o644)
 }