diff options
author | Emil Renner Berthing <esmil@labitat.dk> | 2019-03-31 19:45:52 +0200 |
---|---|---|
committer | Emil Renner Berthing <esmil@labitat.dk> | 2019-04-01 13:07:23 +0200 |
commit | 88756850d1a5cb28b897bdcc9337fcb6977aad0b (patch) | |
tree | ebe21e61ac6e234fa19e2b555c21d1b647556d84 /roles/space_server/files | |
parent | 48ffd1b69723dc6ddd023d803fc0edd8034ce386 (diff) | |
download | labitat-ansible-88756850d1a5cb28b897bdcc9337fcb6977aad0b.tar.gz labitat-ansible-88756850d1a5cb28b897bdcc9337fcb6977aad0b.tar.xz labitat-ansible-88756850d1a5cb28b897bdcc9337fcb6977aad0b.zip |
space_server: named: use named instead of unbound
This reverts commit 3b795796bd03488a385f3ad42b10b8c0d61282c1,
"space_server: unbound: use unbound instad of bind".
Unlike unbound, bind supports synthesizing DNS64 answers
only for certain clients, so only requests from the Labitat NAT64
network will get DNS64 answers.
Diffstat (limited to 'roles/space_server/files')
-rw-r--r-- | roles/space_server/files/named.conf | 103 |
1 files changed, 103 insertions, 0 deletions
diff --git a/roles/space_server/files/named.conf b/roles/space_server/files/named.conf new file mode 100644 index 0000000..81c4969 --- /dev/null +++ b/roles/space_server/files/named.conf @@ -0,0 +1,103 @@ +// +// named.conf +// +// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS +// server as a caching only nameserver (as a localhost DNS resolver only). +// +// See /usr/share/doc/bind*/sample/ for example named configuration files. +// + +options { + listen-on port 53 { + 127.0.0.1; + 185.38.175.0; + }; + listen-on-v6 port 53 { + ::1; + 2a01:4262:1ab::; + }; + allow-query { + 127.0.0.1; + 185.38.175.0/24; + 10.42.0.0/16; + ::1; + 2a01:4262:1ab::/48; + }; + dns64 2a01:4262:1ab:0:0:f::/96 { + clients { 2a01:4262:1ab:f::/64; }; + exclude { + 2a01:4262:1ab:0:0:f::/96; + ::ffff:0:0/96; + }; + }; + directory "/var/named"; + dump-file "/var/named/data/cache_dump.db"; + statistics-file "/var/named/data/named_stats.txt"; + memstatistics-file "/var/named/data/named_mem_stats.txt"; + secroots-file "/var/named/data/named.secroots"; + recursing-file "/var/named/data/named.recursing"; + + /* + - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. + - If you are building a RECURSIVE (caching) DNS server, you need to enable + recursion. + - If your recursive DNS server has a public IP address, you MUST enable access + control to limit queries to your legitimate users. Failing to do so will + cause your server to become part of large scale DNS amplification + attacks. Implementing BCP38 within your network would greatly + reduce such attack surface + */ + recursion yes; + + dnssec-enable yes; + dnssec-validation yes; + + managed-keys-directory "/var/named/dynamic"; + + pid-file "/run/named/named.pid"; + session-keyfile "/run/named/session.key"; + + /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ + include "/etc/crypto-policies/back-ends/bind.config"; +}; + +logging { + channel default_debug { + syslog daemon; + severity dynamic; + }; + channel default { + syslog daemon; + severity info; + }; + category default { + default; + }; +}; + +zone "." IN { + type hint; + file "named.ca"; +}; + +zone "s" IN { + type master; + file "/etc/named/s.zone"; + allow-query { + 127.0.0.1; + 10.42.0.0/24; # infrastructure + 10.42.1.0/24; # member wired + 10.42.2.0/24; # member wireless + ::1; + 2a01:4262:1ab:a::/64; # infrastructure + 2a01:4262:1ab:b::/64; # member wired + 2a01:4262:1ab:c::/64; # member wireless + 2a01:4262:1ab:f::/64; # member nat64 + }; + allow-transfer { + none; + }; +}; + +include "/etc/named.rfc1912.zones"; +include "/etc/named.root.key"; |