From 3b795796bd03488a385f3ad42b10b8c0d61282c1 Mon Sep 17 00:00:00 2001 From: Emil Renner Berthing Date: Sun, 19 Nov 2017 01:19:10 +0100 Subject: space_server: unbound: use unbound instad of bind --- roles/space_server/files/named/named.conf | 81 --------------- roles/space_server/files/named/s.zone | 21 ---- roles/space_server/files/unbound/unbound.conf | 142 ++++++++++++++++++++++++++ roles/space_server/handlers/main.yml | 4 +- roles/space_server/tasks/main.yml | 4 +- roles/space_server/tasks/named.yml | 52 ---------- roles/space_server/tasks/unbound.yml | 36 +++++++ 7 files changed, 182 insertions(+), 158 deletions(-) delete mode 100644 roles/space_server/files/named/named.conf delete mode 100644 roles/space_server/files/named/s.zone create mode 100644 roles/space_server/files/unbound/unbound.conf delete mode 100644 roles/space_server/tasks/named.yml create mode 100644 roles/space_server/tasks/unbound.yml diff --git a/roles/space_server/files/named/named.conf b/roles/space_server/files/named/named.conf deleted file mode 100644 index d9b60d3..0000000 --- a/roles/space_server/files/named/named.conf +++ /dev/null @@ -1,81 +0,0 @@ -// -// named.conf -// -// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS -// server as a caching only nameserver (as a localhost DNS resolver only). -// -// See /usr/share/doc/bind*/sample/ for example named configuration files. -// - -options { - listen-on port 53 { - 127.0.0.1; - 185.38.175.0; - }; - listen-on-v6 port 53 { - ::1; - 2a01:4260:1ab::; - }; - #dns64 fde2:52b4:4a19:ffff::/96 { - # clients { fde2:52b4:4a19:5::/64; }; - #}; - directory "/var/named"; - dump-file "/var/named/data/cache_dump.db"; - statistics-file "/var/named/data/named_stats.txt"; - memstatistics-file "/var/named/data/named_mem_stats.txt"; - //allow-query { localhost; }; - - /* - - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - - If you are building a RECURSIVE (caching) DNS server, you need to enable - recursion. - - If your recursive DNS server has a public IP address, you MUST enable access - control to limit queries to your legitimate users. Failing to do so will - cause your server to become part of large scale DNS amplification - attacks. Implementing BCP38 within your network would greatly - reduce such attack surface - */ - recursion yes; - - dnssec-enable yes; - dnssec-validation yes; - - managed-keys-directory "/var/named/dynamic"; - - pid-file "/run/named/named.pid"; - session-keyfile "/run/named/session.key"; - - /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ - include "/etc/crypto-policies/back-ends/bind.config"; -}; - -logging { - channel default_debug { - file "data/named.run"; - severity dynamic; - }; - channel syslog { - syslog; - severity warning; - print-severity yes; - print-category yes; - }; - category default{ - syslog; - }; -}; - -zone "." IN { - type hint; - file "named.ca"; -}; - -zone "s" IN { - type master; - file "/etc/named/s.zone"; - allow-transfer { none; }; -}; - -include "/etc/named.rfc1912.zones"; -include "/etc/named.root.key"; - diff --git a/roles/space_server/files/named/s.zone b/roles/space_server/files/named/s.zone deleted file mode 100644 index 97bd2f7..0000000 --- a/roles/space_server/files/named/s.zone +++ /dev/null @@ -1,21 +0,0 @@ -s. 600 IN SOA space.labitat.dk. xnybre.labitat.dk. 2015112001 7200 3600 604800 86400 -s. 600 IN NS space.labitat.dk. - -s. 600 IN A 10.42.1.1 -s. 600 IN AAAA 2a01:4260:1ab:: - -labitrack.s. 600 IN CNAME spacewand.labitat.dk. -track.s. 600 IN CNAME spacewand.labitat.dk. - -doorputer.s. 600 IN A 10.42.0.3 -foodputer.s. 600 IN A 10.42.0.4 - -lathe.s. 600 IN A 10.42.0.12 - -anna.s. 600 IN A 10.42.1.9 -infotron.s. 600 IN A 10.42.1.34 -spacemon.s. 600 IN A 10.42.1.35 -jumbotron.s. 600 IN A 10.42.1.36 -sound.s. 600 IN A 10.42.1.80 - -printbrother.s. 600 IN A 10.42.1.32 diff --git a/roles/space_server/files/unbound/unbound.conf b/roles/space_server/files/unbound/unbound.conf new file mode 100644 index 0000000..1679aea --- /dev/null +++ b/roles/space_server/files/unbound/unbound.conf @@ -0,0 +1,142 @@ +server: + pidfile: "/run/unbound/unbound.pid" + verbosity: 1 + statistics-interval: 0 + statistics-cumulative: no + extended-statistics: yes + num-threads: 1 + + define-tag: "local" + + interface: 127.0.0.1 + interface: ::1 + interface: 185.38.175.0 + interface: 2a01:4260:1ab:: + + outgoing-interface: 185.38.175.0 + outgoing-interface: 2a01:4260:1ab:: + outgoing-port-permit: 32768-60999 + outgoing-port-avoid: 0-32767 + + so-reuseport: yes + ip-transparent: yes + max-udp-size: 3072 + + access-control-tag: 127.0.0.1/32 "local" + access-control-tag: ::1/128 "local" + + access-control: 185.38.175.0/24 allow + access-control: 10.42.0.0/16 allow + access-control-tag: 10.42.0.0/24 "local" + access-control-tag: 10.42.1.0/24 "local" + access-control-tag: 10.42.2.0/24 "local" + # not free wifi 10.42.3.0/24 + access-control-tag: 10.42.4.0/24 "local" + access-control-tag: 10.42.5.0/24 "local" + access-control: 2a01:4260:1ab::/48 allow + access-control-tag: 2a01:4260:1ab:a::/64 "local" + access-control-tag: 2a01:4260:1ab:b::/64 "local" + access-control-tag: 2a01:4260:1ab:c::/64 "local" + # not free wifi 2a01:4260:1ab:d::/64 + access-control-tag: 2a01:4260:1ab:e::/64 "local" + access-control-tag: 2a01:4260:1ab:f::/64 "local" + + chroot: "" + username: "unbound" + directory: "/etc/unbound" + + use-syslog: yes + log-time-ascii: yes + + harden-glue: yes + harden-dnssec-stripped: yes + harden-below-nxdomain: yes + harden-referral-path: yes + qname-minimisation: yes + + prefetch: yes + prefetch-key: yes + rrset-roundrobin: yes + minimal-responses: yes + + module-config: "validator iterator" + + trust-anchor-signaling: yes + + trusted-keys-file: /etc/unbound/keys.d/*.key + auto-trust-anchor-file: "/var/lib/unbound/root.key" + + val-clean-additional: yes + val-permissive-mode: no + serve-expired: yes + val-log-level: 1 + + local-zone: a.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static + local-data: "a.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" + local-data: "a.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." + + local-zone: b.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static + local-data: "b.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" + local-data: "b.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." + + local-zone: c.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static + local-data: "c.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" + local-data: "c.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." + + local-zone: d.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static + local-data: "d.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" + local-data: "d.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." + + local-zone: e.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static + local-data: "e.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" + local-data: "e.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." + + local-zone: f.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static + local-data: "f.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" + local-data: "f.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." + + local-zone: s. static + local-zone-tag: s. "local" + local-data: "s. IN SOA space.labitat.dk. esmil.labitat.dk. 20171119 3600 1200 604800 10800" + local-data: "s. IN NS space.labitat.dk." + local-data: "s. IN A 10.42.1.1" + local-data: "s. IN AAAA 2a01:4260:1ab::" + local-data: "labitrack.s. IN A 185.38.175.70" + local-data: "labitrack.s. IN AAAA 2a01:4260:1ab::cafe" + local-data: "track.s. IN A 185.38.175.70" + local-data: "track.s. IN AAAA 2a01:4260:1ab::cafe" + local-data: "ap.s. IN A 10.42.0.2" + local-data-ptr: "10.42.0.2 ap.s." + local-data: "doorputer.s. IN A 10.42.0.3" + local-data-ptr: "10.42.0.3 doorputer.s." + local-data: "foodputer.s. IN A 10.42.0.4" + local-data-ptr: "10.42.0.4 foodputer.s." + local-data: "ap1.s. IN A 10.42.0.5" + local-data-ptr: "10.42.0.5 ap1.s." + local-data: "ap2.s. IN A 10.42.0.6" + local-data-ptr: "10.42.0.6 ap2.s." + local-data: "switch.s. IN A 10.42.0.9" + local-data-ptr: "10.42.0.9 switch.s." + local-data: "lathe.s. IN A 10.42.0.12" + local-data-ptr: "10.42.0.12 lathe.s." + local-data: "anna.s. IN A 10.42.1.9" + local-data-ptr: "10.42.1.9 anna.s." + local-data: "printbrother.s. IN A 10.42.1.32" + local-data-ptr: "10.42.1.32 printbrother.s." + local-data: "infotron.s. IN A 10.42.1.34" + local-data-ptr: "10.42.1.34 infotron.s." + local-data: "spacemon.s. IN A 10.42.1.35" + local-data-ptr: "10.42.1.35 spacemon.s." + local-data: "jumbotron.s. IN A 10.42.1.36" + local-data-ptr: "10.42.1.36 jumbotron.s." + local-data: "hplaserjet.s. IN A 10.42.1.37" + local-data-ptr: "10.42.1.37 hplaserjet.s." + local-data: "labisound.s. IN A 10.42.1.40" + local-data-ptr: "10.42.1.40 labisound.s." + local-data: "sound.s. IN A 10.42.1.80" + local-data-ptr: "10.42.1.80 sound.s." + +remote-control: + control-enable: yes + control-use-cert: no + control-interface: "/run/unbound/control" diff --git a/roles/space_server/handlers/main.yml b/roles/space_server/handlers/main.yml index 70e0b85..e8943d3 100644 --- a/roles/space_server/handlers/main.yml +++ b/roles/space_server/handlers/main.yml @@ -57,9 +57,9 @@ daemon_reload: yes when: "'container' not in ansible_env" -- name: restart named +- name: restart unbound systemd: - name: named.service + name: unbound.service state: restarted when: "'container' not in ansible_env" diff --git a/roles/space_server/tasks/main.yml b/roles/space_server/tasks/main.yml index 6893cbb..bd65b52 100644 --- a/roles/space_server/tasks/main.yml +++ b/roles/space_server/tasks/main.yml @@ -35,8 +35,8 @@ - import_tasks: radius.yml tags: radius when: radius_passwords is defined -- import_tasks: named.yml - tags: named +- import_tasks: unbound.yml + tags: unbound - import_tasks: avahi.yml tags: avahi diff --git a/roles/space_server/tasks/named.yml b/roles/space_server/tasks/named.yml deleted file mode 100644 index d295058..0000000 --- a/roles/space_server/tasks/named.yml +++ /dev/null @@ -1,52 +0,0 @@ ---- -- name: Install bind package - dnf: - name: bind - state: latest - notify: - - restart named - tags: - - packages - -- name: Configure named - copy: - src: named/named.conf - dest: '/etc/named.conf' - mode: 0640 - notify: - - restart named -- name: Create s zone - copy: - src: named/s.zone - dest: '/etc/named/s.zone' - notify: - - restart named - -- name: Create service drop-in directory - file: - dest: '/etc/systemd/system/named.service.d' - state: directory -- name: Start named after networks are configured - copy: - src: wait-online.conf - dest: '/etc/systemd/system/named.service.d/wait-online.conf' - -- name: Enable named service - systemd: - name: named.service - enabled: yes - masked: no - state: started - when: "'container' not in ansible_env" -- name: '- when in nspawn' - command: systemctl enable named.service - args: - creates: '/etc/systemd/system/multi-user.target.wants/named.service' - when: "'container' in ansible_env" - -- name: Use our own resolver - copy: - dest: /etc/resolv.conf - content: "nameserver 127.0.0.1\nnameserver ::1\n" - -# vim: set ts=2 sw=2 et ft=yaml: diff --git a/roles/space_server/tasks/unbound.yml b/roles/space_server/tasks/unbound.yml new file mode 100644 index 0000000..42db916 --- /dev/null +++ b/roles/space_server/tasks/unbound.yml @@ -0,0 +1,36 @@ +--- +- name: Install unbound package + dnf: + name: unbound + state: latest + notify: + - restart unbound + tags: + - packages + +- name: Configure unbound + copy: + src: unbound/unbound.conf + dest: '/etc/unbound/unbound.conf' + notify: + - restart unbound + +- name: Enable unbound service + systemd: + name: unbound.service + enabled: yes + masked: no + state: started + when: "'container' not in ansible_env" +- name: '- when in nspawn' + command: systemctl enable unbound.service + args: + creates: '/etc/systemd/system/multi-user.target.wants/unbound.service' + when: "'container' in ansible_env" + +- name: Use our own resolver + copy: + dest: /etc/resolv.conf + content: "nameserver 127.0.0.1\nnameserver ::1\n" + +# vim: set ts=2 sw=2 et ft=yaml: -- cgit v1.2.1