From 88756850d1a5cb28b897bdcc9337fcb6977aad0b Mon Sep 17 00:00:00 2001
From: Emil Renner Berthing <esmil@labitat.dk>
Date: Sun, 31 Mar 2019 19:45:52 +0200
Subject: space_server: named: use named instead of unbound

This reverts commit 3b795796bd03488a385f3ad42b10b8c0d61282c1,
"space_server: unbound: use unbound instad of bind".

Unlike unbound, bind supports synthesizing DNS64 answers
only for certain clients, so only requests from the Labitat NAT64
network will get DNS64 answers.
---
 roles/space_server/files/named.conf | 103 ++++++++++++++++++++++++++++++++++++
 1 file changed, 103 insertions(+)
 create mode 100644 roles/space_server/files/named.conf

(limited to 'roles/space_server/files')

diff --git a/roles/space_server/files/named.conf b/roles/space_server/files/named.conf
new file mode 100644
index 0000000..81c4969
--- /dev/null
+++ b/roles/space_server/files/named.conf
@@ -0,0 +1,103 @@
+//
+// named.conf
+//
+// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
+// server as a caching only nameserver (as a localhost DNS resolver only).
+//
+// See /usr/share/doc/bind*/sample/ for example named configuration files.
+//
+
+options {
+	listen-on port 53 {
+		127.0.0.1;
+		185.38.175.0;
+	};
+	listen-on-v6 port 53 {
+		::1;
+		2a01:4262:1ab::;
+	};
+	allow-query {
+		127.0.0.1;
+		185.38.175.0/24;
+		10.42.0.0/16;
+		::1;
+		2a01:4262:1ab::/48;
+	};
+	dns64 2a01:4262:1ab:0:0:f::/96 {
+		clients { 2a01:4262:1ab:f::/64; };
+		exclude {
+			2a01:4262:1ab:0:0:f::/96;
+			::ffff:0:0/96;
+		};
+	};
+	directory 	"/var/named";
+	dump-file 	"/var/named/data/cache_dump.db";
+	statistics-file "/var/named/data/named_stats.txt";
+	memstatistics-file "/var/named/data/named_mem_stats.txt";
+	secroots-file	"/var/named/data/named.secroots";
+	recursing-file	"/var/named/data/named.recursing";
+
+	/* 
+	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
+	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
+	   recursion. 
+	 - If your recursive DNS server has a public IP address, you MUST enable access 
+	   control to limit queries to your legitimate users. Failing to do so will
+	   cause your server to become part of large scale DNS amplification 
+	   attacks. Implementing BCP38 within your network would greatly
+	   reduce such attack surface 
+	*/
+	recursion yes;
+
+	dnssec-enable yes;
+	dnssec-validation yes;
+
+	managed-keys-directory "/var/named/dynamic";
+
+	pid-file "/run/named/named.pid";
+	session-keyfile "/run/named/session.key";
+
+	/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
+	include "/etc/crypto-policies/back-ends/bind.config";
+};
+
+logging {
+	channel default_debug {
+		syslog daemon;
+		severity dynamic;
+	};
+	channel default {
+		syslog daemon;
+		severity info;
+	};
+	category default {
+		default;
+	};
+};
+
+zone "." IN {
+	type hint;
+	file "named.ca";
+};
+
+zone "s" IN {
+	type master;
+	file "/etc/named/s.zone";
+	allow-query {
+		127.0.0.1;
+		10.42.0.0/24; # infrastructure
+		10.42.1.0/24; # member wired
+		10.42.2.0/24; # member wireless
+		::1;
+		2a01:4262:1ab:a::/64; # infrastructure
+		2a01:4262:1ab:b::/64; # member wired
+		2a01:4262:1ab:c::/64; # member wireless
+		2a01:4262:1ab:f::/64; # member nat64
+	};
+	allow-transfer {
+		none;
+	};
+};
+
+include "/etc/named.rfc1912.zones";
+include "/etc/named.root.key";
-- 
cgit v1.2.1