diff options
author | Emil Renner Berthing <esmil@labitat.dk> | 2019-03-31 19:45:52 +0200 |
---|---|---|
committer | Emil Renner Berthing <esmil@labitat.dk> | 2019-04-01 13:07:23 +0200 |
commit | 88756850d1a5cb28b897bdcc9337fcb6977aad0b (patch) | |
tree | ebe21e61ac6e234fa19e2b555c21d1b647556d84 /roles/space_server | |
parent | 48ffd1b69723dc6ddd023d803fc0edd8034ce386 (diff) | |
download | labitat-ansible-88756850d1a5cb28b897bdcc9337fcb6977aad0b.tar.gz labitat-ansible-88756850d1a5cb28b897bdcc9337fcb6977aad0b.tar.xz labitat-ansible-88756850d1a5cb28b897bdcc9337fcb6977aad0b.zip |
space_server: named: use named instead of unbound
This reverts commit 3b795796bd03488a385f3ad42b10b8c0d61282c1,
"space_server: unbound: use unbound instad of bind".
Unlike unbound, bind supports synthesizing DNS64 answers
only for certain clients, so only requests from the Labitat NAT64
network will get DNS64 answers.
Diffstat (limited to 'roles/space_server')
-rw-r--r-- | roles/space_server/files/named.conf | 103 | ||||
-rw-r--r-- | roles/space_server/handlers/main.yml | 4 | ||||
-rw-r--r-- | roles/space_server/tasks/main.yml | 4 | ||||
-rw-r--r-- | roles/space_server/tasks/named.yml | 55 | ||||
-rw-r--r-- | roles/space_server/tasks/unbound.yml | 41 | ||||
-rw-r--r-- | roles/space_server/templates/s.zone.j2 | 21 | ||||
-rw-r--r-- | roles/space_server/templates/unbound.conf.j2 | 128 | ||||
-rw-r--r-- | roles/space_server/vars/main.yml | 3 |
8 files changed, 184 insertions, 175 deletions
diff --git a/roles/space_server/files/named.conf b/roles/space_server/files/named.conf new file mode 100644 index 0000000..81c4969 --- /dev/null +++ b/roles/space_server/files/named.conf @@ -0,0 +1,103 @@ +// +// named.conf +// +// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS +// server as a caching only nameserver (as a localhost DNS resolver only). +// +// See /usr/share/doc/bind*/sample/ for example named configuration files. +// + +options { + listen-on port 53 { + 127.0.0.1; + 185.38.175.0; + }; + listen-on-v6 port 53 { + ::1; + 2a01:4262:1ab::; + }; + allow-query { + 127.0.0.1; + 185.38.175.0/24; + 10.42.0.0/16; + ::1; + 2a01:4262:1ab::/48; + }; + dns64 2a01:4262:1ab:0:0:f::/96 { + clients { 2a01:4262:1ab:f::/64; }; + exclude { + 2a01:4262:1ab:0:0:f::/96; + ::ffff:0:0/96; + }; + }; + directory "/var/named"; + dump-file "/var/named/data/cache_dump.db"; + statistics-file "/var/named/data/named_stats.txt"; + memstatistics-file "/var/named/data/named_mem_stats.txt"; + secroots-file "/var/named/data/named.secroots"; + recursing-file "/var/named/data/named.recursing"; + + /* + - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. + - If you are building a RECURSIVE (caching) DNS server, you need to enable + recursion. + - If your recursive DNS server has a public IP address, you MUST enable access + control to limit queries to your legitimate users. Failing to do so will + cause your server to become part of large scale DNS amplification + attacks. Implementing BCP38 within your network would greatly + reduce such attack surface + */ + recursion yes; + + dnssec-enable yes; + dnssec-validation yes; + + managed-keys-directory "/var/named/dynamic"; + + pid-file "/run/named/named.pid"; + session-keyfile "/run/named/session.key"; + + /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ + include "/etc/crypto-policies/back-ends/bind.config"; +}; + +logging { + channel default_debug { + syslog daemon; + severity dynamic; + }; + channel default { + syslog daemon; + severity info; + }; + category default { + default; + }; +}; + +zone "." IN { + type hint; + file "named.ca"; +}; + +zone "s" IN { + type master; + file "/etc/named/s.zone"; + allow-query { + 127.0.0.1; + 10.42.0.0/24; # infrastructure + 10.42.1.0/24; # member wired + 10.42.2.0/24; # member wireless + ::1; + 2a01:4262:1ab:a::/64; # infrastructure + 2a01:4262:1ab:b::/64; # member wired + 2a01:4262:1ab:c::/64; # member wireless + 2a01:4262:1ab:f::/64; # member nat64 + }; + allow-transfer { + none; + }; +}; + +include "/etc/named.rfc1912.zones"; +include "/etc/named.root.key"; diff --git a/roles/space_server/handlers/main.yml b/roles/space_server/handlers/main.yml index 09e0d1d..3a92a46 100644 --- a/roles/space_server/handlers/main.yml +++ b/roles/space_server/handlers/main.yml @@ -45,9 +45,9 @@ daemon_reload: yes when: not chroot -- name: restart unbound +- name: restart named systemd: - name: unbound.service + name: named.service state: restarted when: not chroot diff --git a/roles/space_server/tasks/main.yml b/roles/space_server/tasks/main.yml index bfa3bc6..374a8b6 100644 --- a/roles/space_server/tasks/main.yml +++ b/roles/space_server/tasks/main.yml @@ -28,8 +28,8 @@ - import_tasks: radius.yml tags: radius when: radius_passwords is defined -- import_tasks: unbound.yml - tags: unbound +- import_tasks: named.yml + tags: named - import_tasks: tayga.yml tags: tayga - import_tasks: avahi.yml diff --git a/roles/space_server/tasks/named.yml b/roles/space_server/tasks/named.yml new file mode 100644 index 0000000..143e8f0 --- /dev/null +++ b/roles/space_server/tasks/named.yml @@ -0,0 +1,55 @@ +--- +- name: Configure named + copy: + dest: '/etc/named.conf' + src: named.conf + owner: root + group: named + mode: 0640 + notify: + - restart named +- name: Create s zone + template: + dest: '/etc/named/s.zone' + src: s.zone.j2 + owner: root + group: named + mode: 0644 + notify: + - restart named + +- name: Create service drop-in directory + file: + dest: '/etc/systemd/system/named.service.d' + state: directory + owner: root + group: root + mode: 0755 +- name: Start named after networks are configured + copy: + dest: '/etc/systemd/system/named.service.d/wait-online.conf' + src: wait-online.conf + owner: root + group: root + mode: 0644 + +- name: Enable named service + systemd: + name: named.service + enabled: yes + masked: no + state: started + when: not chroot +- name: '- when in nspawn' + command: systemctl enable named.service + when: chroot + +- name: Use our own resolver + copy: + dest: /etc/resolv.conf + content: "nameserver 127.0.0.1\nnameserver ::1\noptions edns0\n" + owner: root + group: root + mode: 0644 + +# vim: set ts=2 sw=2 et ft=yaml: diff --git a/roles/space_server/tasks/unbound.yml b/roles/space_server/tasks/unbound.yml deleted file mode 100644 index 0de4c78..0000000 --- a/roles/space_server/tasks/unbound.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -- name: Create /etc/resolv.conf - copy: - dest: '/etc/resolv.conf' - src: resolv.conf - owner: root - group: root - mode: 0644 - -- name: Configure unbound - template: - dest: '/etc/unbound/unbound.conf' - src: unbound.conf.j2 - owner: root - group: root - mode: 0644 - notify: - - restart unbound - -- name: Enable unbound service - systemd: - name: unbound.service - enabled: yes - masked: no - state: started - when: not chroot -- name: '- when in chroot' - command: systemctl enable unbound.service - args: - creates: '/etc/systemd/system/multi-user.target.wants/unbound.service' - when: chroot - -- name: Use our own resolver - copy: - dest: '/etc/resolv.conf' - content: "nameserver 127.0.0.1\nnameserver ::1\n" - owner: root - group: root - mode: 0644 - -# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/templates/s.zone.j2 b/roles/space_server/templates/s.zone.j2 new file mode 100644 index 0000000..6bf9718 --- /dev/null +++ b/roles/space_server/templates/s.zone.j2 @@ -0,0 +1,21 @@ +s. 600 IN SOA space.labitat.dk. esmil.labitat.dk. 2019040101 7200 3600 604800 86400 +s. 600 IN NS space.labitat.dk. + +s. 600 IN A 10.42.1.1 +s. 600 IN AAAA 2a01:4260:1ab:: + +labitrack.s. 600 IN A 185.38.175.70 +labitrack.s. 600 IN AAAA 2a01:4262:1ab::cafe +track.s. 600 IN A 185.38.175.70 +track.s. 600 IN AAAA 2a01:4262:1ab::cafe +{% for host in local_hosts %} + +{% if 'ips' in host and host.ips|length > 0 %} +{% for ip in host.ips|ipv4 %} +{{ host.name }}.s. 600 IN A {{ ip }} +{% endfor %} +{% for ip in host.ips|ipv6 %} +{{ host.name }}.s. 600 IN AAAA {{ ip }} +{% endfor %} +{% endif %} +{% endfor %} diff --git a/roles/space_server/templates/unbound.conf.j2 b/roles/space_server/templates/unbound.conf.j2 deleted file mode 100644 index 26b7006..0000000 --- a/roles/space_server/templates/unbound.conf.j2 +++ /dev/null @@ -1,128 +0,0 @@ -server: - pidfile: "/run/unbound/unbound.pid" - verbosity: 1 - statistics-interval: 0 - statistics-cumulative: no - extended-statistics: yes - num-threads: 1 - - define-tag: "local" - - interface: 127.0.0.1 - interface: ::1 - interface: 185.38.175.0 - interface: 2a01:4262:1ab:: - - outgoing-interface: 185.38.175.0 - outgoing-interface: 2a01:4262:1ab:: - outgoing-port-permit: 32768-60999 - outgoing-port-avoid: 0-32767 - - so-reuseport: yes - ip-transparent: yes - max-udp-size: 3072 - - access-control-tag: 127.0.0.1/32 "local" - access-control-tag: ::1/128 "local" - - access-control: 185.38.175.0/24 allow - access-control: 10.42.0.0/16 allow - access-control-tag: 10.42.0.0/24 "local" - access-control-tag: 10.42.1.0/24 "local" - access-control-tag: 10.42.2.0/24 "local" - # not free wifi 10.42.3.0/24 - access-control-tag: 10.42.4.0/24 "local" - access-control-tag: 10.42.5.0/24 "local" - access-control: 2a01:4262:1ab::/48 allow - access-control-tag: 2a01:4262:1ab:a::/64 "local" - access-control-tag: 2a01:4262:1ab:b::/64 "local" - access-control-tag: 2a01:4262:1ab:c::/64 "local" - # not free wifi 2a01:4262:1ab:d::/64 - access-control-tag: 2a01:4262:1ab:e::/64 "local" - access-control-tag: 2a01:4262:1ab:f::/64 "local" - - chroot: "" - username: "unbound" - directory: "/etc/unbound" - - use-syslog: yes - log-time-ascii: yes - - harden-glue: yes - harden-dnssec-stripped: yes - harden-below-nxdomain: yes - harden-referral-path: yes - qname-minimisation: yes - - prefetch: yes - prefetch-key: yes - rrset-roundrobin: yes - minimal-responses: yes - - module-config: "dns64 validator iterator" - - dns64-prefix: 2a01:4262:1ab:0:0:f::/96 - - trust-anchor-signaling: yes - - trusted-keys-file: /etc/unbound/keys.d/*.key - auto-trust-anchor-file: "/var/lib/unbound/root.key" - - val-clean-additional: yes - val-permissive-mode: no - serve-expired: yes - val-log-level: 1 - - local-zone: a.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static - local-data: "a.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" - local-data: "a.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." - - local-zone: b.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static - local-data: "b.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" - local-data: "b.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." - - local-zone: c.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static - local-data: "c.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" - local-data: "c.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." - - local-zone: d.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static - local-data: "d.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" - local-data: "d.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." - - local-zone: e.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static - local-data: "e.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" - local-data: "e.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." - - local-zone: f.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static - local-data: "f.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" - local-data: "f.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." - - local-zone: s. static - local-zone-tag: s. "local" - local-data: "s. IN SOA space.labitat.dk. esmil.labitat.dk. 20171119 3600 1200 604800 10800" - local-data: "s. IN NS space.labitat.dk." - local-data: "s. IN A 10.42.1.1" - local-data: "s. IN AAAA 2a01:4262:1ab::" - local-data: "labitrack.s. IN A 185.38.175.70" - local-data: "labitrack.s. IN AAAA 2a01:4262:1ab::cafe" - local-data: "track.s. IN A 185.38.175.70" - local-data: "track.s. IN AAAA 2a01:4262:1ab::cafe" -{% for host in local_hosts %} -{% for ip in host.ips | ipv4 %} -{% if loop.index <= 1 %} - local-data: "{{ host.name }}.s. IN A {{ ip }}" - local-data-ptr: "{{ ip }} {{ host.name }}.s." -{% endif %} -{% endfor %} -{% for ip in host.ips | ipv6 %} -{% if loop.index <= 1 %} - local-data: "{{ host.name }}.s. IN AAAA {{ ip }}" - local-data-ptr: "{{ ip }} {{ host.name }}.s." -{% endif %} -{% endfor %} -{% endfor %} - -remote-control: - control-enable: yes - control-use-cert: no - control-interface: "/run/unbound/control" diff --git a/roles/space_server/vars/main.yml b/roles/space_server/vars/main.yml index 40f4251..1914374 100644 --- a/roles/space_server/vars/main.yml +++ b/roles/space_server/vars/main.yml @@ -36,8 +36,7 @@ dnf_packages: 'freeradius-python': present # pulls in radiusd 'curl': present 'diffutils': present - 'policycoreutils': present # needed for unbound-keygen.service - 'unbound': present + 'bind': present 'tayga': present 'avahi-tools': present # pulls in avahi package 'nss-mdns': present |