some dns fix + dnsmasq

shared/commons/nftables.nix

@@ -53,6 +53,18 @@ in
                                 udp dport 51920 accept
                             '' else ""}
 
+                            ${if myName == mapping.dns.master then ''
+                                # DNS Master
+                                iifname mesh tcp dport 53 accept
+                                iifname mesh udp dport 53 accept
+                            '' else ""}
+
+                            ${if lib.elem myName mapping.dns.secondary then ''
+                                # DNS Secondary
+                                tcp dport 53 accept
+                                udp dport 53 accept
+                            '' else ""}
+
                             # Log anything else
                             ip protocol tcp counter log prefix "tcp.in.dropped: "
                             ip protocol udp counter log prefix "udp.in.dropped: "
@@ -65,11 +77,8 @@ in
                             ct state invalid counter drop
 
                             ${if lib.elem myName mapping.bastion.hosts then ''
-                                iifname mgmt oifname mesh* accept
+                                iifname mgmt oifname mesh accept
                             '' else ""}
-
-                            # Allow mesh bounces
-                            iifname mesh* oifname mesh* accept
                         }
                         chain output {
                             type filter hook output priority 0; policy accept;