From 806bfb26907e9bb3d41f0c9225800a7f8c77683a Mon Sep 17 00:00:00 2001 From: Emil Renner Berthing Date: Tue, 2 Apr 2019 20:23:52 +0200 Subject: space_server: named: support dynamic updates ..of the dhcp zone and reverse dns for 10.42.0.0/16 This way the dhcp daemon can add entries when it handles out leases. --- roles/space_server/files/named.conf | 110 ------------------------ roles/space_server/tasks/named.yml | 35 ++++++-- roles/space_server/templates/dhcp.zone.j2 | 2 + roles/space_server/templates/named.conf.j2 | 133 +++++++++++++++++++++++++++++ 4 files changed, 162 insertions(+), 118 deletions(-) delete mode 100644 roles/space_server/files/named.conf create mode 100644 roles/space_server/templates/dhcp.zone.j2 create mode 100644 roles/space_server/templates/named.conf.j2 diff --git a/roles/space_server/files/named.conf b/roles/space_server/files/named.conf deleted file mode 100644 index 0659a3b..0000000 --- a/roles/space_server/files/named.conf +++ /dev/null @@ -1,110 +0,0 @@ -// -// named.conf -// -// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS -// server as a caching only nameserver (as a localhost DNS resolver only). -// -// See /usr/share/doc/bind*/sample/ for example named configuration files. -// - -options { - listen-on port 53 { - 127.0.0.1; - 185.38.175.0; - }; - listen-on-v6 port 53 { - ::1; - 2a01:4262:1ab::; - }; - allow-query { - 127.0.0.1; - 185.38.175.0/24; - 10.42.0.0/16; - ::1; - 2a01:4262:1ab::/48; - }; - dns64 2a01:4262:1ab:0:0:f::/96 { - clients { 2a01:4262:1ab:f::/64; }; - exclude { - 2a01:4262:1ab:0:0:f::/96; - ::ffff:0:0/96; - }; - }; - directory "/var/named"; - dump-file "/var/named/data/cache_dump.db"; - statistics-file "/var/named/data/named_stats.txt"; - memstatistics-file "/var/named/data/named_mem_stats.txt"; - secroots-file "/var/named/data/named.secroots"; - recursing-file "/var/named/data/named.recursing"; - - /* - - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - - If you are building a RECURSIVE (caching) DNS server, you need to enable - recursion. - - If your recursive DNS server has a public IP address, you MUST enable access - control to limit queries to your legitimate users. Failing to do so will - cause your server to become part of large scale DNS amplification - attacks. Implementing BCP38 within your network would greatly - reduce such attack surface - */ - recursion yes; - - dnssec-enable yes; - dnssec-validation yes; - - managed-keys-directory "/var/named/dynamic"; - - pid-file "/run/named/named.pid"; - session-keyfile "/run/named/session.key"; - - /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ - include "/etc/crypto-policies/back-ends/bind.config"; -}; - -logging { - channel default_debug { - syslog daemon; - severity dynamic; - }; - channel default { - syslog daemon; - severity info; - }; - category default { - default; - }; -}; - -acl local { - 127.0.0.1; - 10.42.0.0/24; // infrastructure - 10.42.1.0/24; // member wired - 10.42.2.0/24; // member wireless - ::1; - 2a01:4262:1ab:a::/64; // infrastructure - 2a01:4262:1ab:b::/64; // member wired - 2a01:4262:1ab:c::/64; // member wireless - 2a01:4262:1ab:f::/64; // member nat64 -}; - -zone "." IN { - type hint; - file "named.ca"; -}; - -zone "s" IN { - type master; - file "/etc/named/s.zone"; - allow-query { local; }; - allow-transfer { none; }; -}; - -zone "42.10.in-addr.arpa" IN { - type master; - file "/etc/named/ipv4.rev.zone"; - allow-query { local; }; - allow-transfer { none; }; -}; - -include "/etc/named.rfc1912.zones"; -include "/etc/named.root.key"; diff --git a/roles/space_server/tasks/named.yml b/roles/space_server/tasks/named.yml index 243bf3e..519b5d4 100644 --- a/roles/space_server/tasks/named.yml +++ b/roles/space_server/tasks/named.yml @@ -1,21 +1,40 @@ --- -- name: Create local zones +- name: Create s zone template: - dest: '/etc/named/{{ item }}' - src: '{{ item }}.j2' + dest: '/etc/named/s.zone' + src: s.zone.j2 owner: root group: named mode: 0644 - with_items: - - 's.zone' - - 'ipv4.rev.zone' + notify: + - restart named + +- name: Create dhcp zone + template: + dest: '/var/named/dynamic/dhcp.zone' + src: dhcp.zone.j2 + owner: named + group: named + mode: 0644 + force: no + notify: + - restart named + +- name: Create ipv4 reverse dns zone + template: + dest: '/var/named/dynamic/ipv4.rev.zone' + src: ipv4.rev.zone.j2 + owner: named + group: named + mode: 0644 + force: no notify: - restart named - name: Configure named - copy: + template: dest: '/etc/named.conf' - src: named.conf + src: named.conf.j2 owner: root group: named mode: 0640 diff --git a/roles/space_server/templates/dhcp.zone.j2 b/roles/space_server/templates/dhcp.zone.j2 new file mode 100644 index 0000000..e6b2b40 --- /dev/null +++ b/roles/space_server/templates/dhcp.zone.j2 @@ -0,0 +1,2 @@ +dhcp. 600 IN SOA space.labitat.dk. esmil.labitat.dk. 2019040101 7200 3600 604800 86400 +dhcp. 600 IN NS space.labitat.dk. diff --git a/roles/space_server/templates/named.conf.j2 b/roles/space_server/templates/named.conf.j2 new file mode 100644 index 0000000..0314545 --- /dev/null +++ b/roles/space_server/templates/named.conf.j2 @@ -0,0 +1,133 @@ +// +// named.conf +// +// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS +// server as a caching only nameserver (as a localhost DNS resolver only). +// +// See /usr/share/doc/bind*/sample/ for example named configuration files. +// + +options { + listen-on port 53 { + 127.0.0.1; + 185.38.175.0; + }; + listen-on-v6 port 53 { + ::1; + 2a01:4262:1ab::; + }; + allow-query { + 127.0.0.1; + 185.38.175.0/24; + 10.42.0.0/16; + ::1; + 2a01:4262:1ab::/48; + }; + dns64 2a01:4262:1ab:0:0:f::/96 { + clients { 2a01:4262:1ab:f::/64; }; + exclude { + 2a01:4262:1ab:0:0:f::/96; + ::ffff:0:0/96; + }; + }; + directory "/var/named"; + dump-file "/var/named/data/cache_dump.db"; + statistics-file "/var/named/data/named_stats.txt"; + memstatistics-file "/var/named/data/named_mem_stats.txt"; + secroots-file "/var/named/data/named.secroots"; + recursing-file "/var/named/data/named.recursing"; + + /* + - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. + - If you are building a RECURSIVE (caching) DNS server, you need to enable + recursion. + - If your recursive DNS server has a public IP address, you MUST enable access + control to limit queries to your legitimate users. Failing to do so will + cause your server to become part of large scale DNS amplification + attacks. Implementing BCP38 within your network would greatly + reduce such attack surface + */ + recursion yes; + + dnssec-enable yes; + dnssec-validation yes; + + managed-keys-directory "/var/named/dynamic"; + + pid-file "/run/named/named.pid"; + session-keyfile "/run/named/session.key"; + + /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ + include "/etc/crypto-policies/back-ends/bind.config"; +}; + +logging { + channel default_debug { + syslog daemon; + severity dynamic; + }; + channel default { + syslog daemon; + severity info; + }; + category default { + default; + }; +}; + +acl local { + 127.0.0.1; + 10.42.0.0/24; // infrastructure + 10.42.1.0/24; // member wired + 10.42.2.0/24; // member wireless + ::1; + 2a01:4262:1ab:a::/64; // infrastructure + 2a01:4262:1ab:b::/64; // member wired + 2a01:4262:1ab:c::/64; // member wireless + 2a01:4262:1ab:f::/64; // member nat64 +}; +{% if ddns_secret is defined %} + +key dhcpupdate { + algorithm {{ ddns_secret.algorithm }}; + secret "{{ ddns_secret.key }}"; +}; +{% endif %} + +zone "." IN { + type hint; + file "named.ca"; +}; + +zone "s" IN { + type master; + file "/etc/named/s.zone"; + allow-query { local; }; + allow-update { none; }; + allow-transfer { none; }; +}; +{% if ddns_secret is defined %} + +zone "dhcp" IN { + type master; + file "dynamic/dhcp.zone"; + allow-query { local; }; + allow-update { key dhcpupdate; }; + allow-transfer { none; }; + notify no; +}; +{% endif %} + +zone "42.10.in-addr.arpa" IN { + type master; + file "dynamic/ipv4.rev.zone"; + allow-query { local; }; +{% if ddns_secret is defined %} + allow-update { key dhcpupdate; }; +{% endif %} + allow-transfer { none; }; + notify no; +}; + +include "/etc/named.rfc1912.zones"; +include "/etc/named.root.key"; -- cgit v1.2.1