From 3b795796bd03488a385f3ad42b10b8c0d61282c1 Mon Sep 17 00:00:00 2001
From: Emil Renner Berthing <esmil@labitat.dk>
Date: Sun, 19 Nov 2017 01:19:10 +0100
Subject: space_server: unbound: use unbound instad of bind
---
roles/space_server/files/named/named.conf | 81 ---------------
roles/space_server/files/named/s.zone | 21 ----
roles/space_server/files/unbound/unbound.conf | 142 ++++++++++++++++++++++++++
roles/space_server/handlers/main.yml | 4 +-
roles/space_server/tasks/main.yml | 4 +-
roles/space_server/tasks/named.yml | 52 ----------
roles/space_server/tasks/unbound.yml | 36 +++++++
7 files changed, 182 insertions(+), 158 deletions(-)
delete mode 100644 roles/space_server/files/named/named.conf
delete mode 100644 roles/space_server/files/named/s.zone
create mode 100644 roles/space_server/files/unbound/unbound.conf
delete mode 100644 roles/space_server/tasks/named.yml
create mode 100644 roles/space_server/tasks/unbound.yml
(limited to 'roles')
diff --git a/roles/space_server/files/named/named.conf b/roles/space_server/files/named/named.conf
deleted file mode 100644
index d9b60d3..0000000
--- a/roles/space_server/files/named/named.conf
+++ /dev/null
@@ -1,81 +0,0 @@
-//
-// named.conf
-//
-// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
-// server as a caching only nameserver (as a localhost DNS resolver only).
-//
-// See /usr/share/doc/bind*/sample/ for example named configuration files.
-//
-
-options {
- listen-on port 53 {
- 127.0.0.1;
- 185.38.175.0;
- };
- listen-on-v6 port 53 {
- ::1;
- 2a01:4260:1ab::;
- };
- #dns64 fde2:52b4:4a19:ffff::/96 {
- # clients { fde2:52b4:4a19:5::/64; };
- #};
- directory "/var/named";
- dump-file "/var/named/data/cache_dump.db";
- statistics-file "/var/named/data/named_stats.txt";
- memstatistics-file "/var/named/data/named_mem_stats.txt";
- //allow-query { localhost; };
-
- /*
- - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- - If you are building a RECURSIVE (caching) DNS server, you need to enable
- recursion.
- - If your recursive DNS server has a public IP address, you MUST enable access
- control to limit queries to your legitimate users. Failing to do so will
- cause your server to become part of large scale DNS amplification
- attacks. Implementing BCP38 within your network would greatly
- reduce such attack surface
- */
- recursion yes;
-
- dnssec-enable yes;
- dnssec-validation yes;
-
- managed-keys-directory "/var/named/dynamic";
-
- pid-file "/run/named/named.pid";
- session-keyfile "/run/named/session.key";
-
- /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
- include "/etc/crypto-policies/back-ends/bind.config";
-};
-
-logging {
- channel default_debug {
- file "data/named.run";
- severity dynamic;
- };
- channel syslog {
- syslog;
- severity warning;
- print-severity yes;
- print-category yes;
- };
- category default{
- syslog;
- };
-};
-
-zone "." IN {
- type hint;
- file "named.ca";
-};
-
-zone "s" IN {
- type master;
- file "/etc/named/s.zone";
- allow-transfer { none; };
-};
-
-include "/etc/named.rfc1912.zones";
-include "/etc/named.root.key";
-
diff --git a/roles/space_server/files/named/s.zone b/roles/space_server/files/named/s.zone
deleted file mode 100644
index 97bd2f7..0000000
--- a/roles/space_server/files/named/s.zone
+++ /dev/null
@@ -1,21 +0,0 @@
-s. 600 IN SOA space.labitat.dk. xnybre.labitat.dk. 2015112001 7200 3600 604800 86400
-s. 600 IN NS space.labitat.dk.
-
-s. 600 IN A 10.42.1.1
-s. 600 IN AAAA 2a01:4260:1ab::
-
-labitrack.s. 600 IN CNAME spacewand.labitat.dk.
-track.s. 600 IN CNAME spacewand.labitat.dk.
-
-doorputer.s. 600 IN A 10.42.0.3
-foodputer.s. 600 IN A 10.42.0.4
-
-lathe.s. 600 IN A 10.42.0.12
-
-anna.s. 600 IN A 10.42.1.9
-infotron.s. 600 IN A 10.42.1.34
-spacemon.s. 600 IN A 10.42.1.35
-jumbotron.s. 600 IN A 10.42.1.36
-sound.s. 600 IN A 10.42.1.80
-
-printbrother.s. 600 IN A 10.42.1.32
diff --git a/roles/space_server/files/unbound/unbound.conf b/roles/space_server/files/unbound/unbound.conf
new file mode 100644
index 0000000..1679aea
--- /dev/null
+++ b/roles/space_server/files/unbound/unbound.conf
@@ -0,0 +1,142 @@
+server:
+ pidfile: "/run/unbound/unbound.pid"
+ verbosity: 1
+ statistics-interval: 0
+ statistics-cumulative: no
+ extended-statistics: yes
+ num-threads: 1
+
+ define-tag: "local"
+
+ interface: 127.0.0.1
+ interface: ::1
+ interface: 185.38.175.0
+ interface: 2a01:4260:1ab::
+
+ outgoing-interface: 185.38.175.0
+ outgoing-interface: 2a01:4260:1ab::
+ outgoing-port-permit: 32768-60999
+ outgoing-port-avoid: 0-32767
+
+ so-reuseport: yes
+ ip-transparent: yes
+ max-udp-size: 3072
+
+ access-control-tag: 127.0.0.1/32 "local"
+ access-control-tag: ::1/128 "local"
+
+ access-control: 185.38.175.0/24 allow
+ access-control: 10.42.0.0/16 allow
+ access-control-tag: 10.42.0.0/24 "local"
+ access-control-tag: 10.42.1.0/24 "local"
+ access-control-tag: 10.42.2.0/24 "local"
+ # not free wifi 10.42.3.0/24
+ access-control-tag: 10.42.4.0/24 "local"
+ access-control-tag: 10.42.5.0/24 "local"
+ access-control: 2a01:4260:1ab::/48 allow
+ access-control-tag: 2a01:4260:1ab:a::/64 "local"
+ access-control-tag: 2a01:4260:1ab:b::/64 "local"
+ access-control-tag: 2a01:4260:1ab:c::/64 "local"
+ # not free wifi 2a01:4260:1ab:d::/64
+ access-control-tag: 2a01:4260:1ab:e::/64 "local"
+ access-control-tag: 2a01:4260:1ab:f::/64 "local"
+
+ chroot: ""
+ username: "unbound"
+ directory: "/etc/unbound"
+
+ use-syslog: yes
+ log-time-ascii: yes
+
+ harden-glue: yes
+ harden-dnssec-stripped: yes
+ harden-below-nxdomain: yes
+ harden-referral-path: yes
+ qname-minimisation: yes
+
+ prefetch: yes
+ prefetch-key: yes
+ rrset-roundrobin: yes
+ minimal-responses: yes
+
+ module-config: "validator iterator"
+
+ trust-anchor-signaling: yes
+
+ trusted-keys-file: /etc/unbound/keys.d/*.key
+ auto-trust-anchor-file: "/var/lib/unbound/root.key"
+
+ val-clean-additional: yes
+ val-permissive-mode: no
+ serve-expired: yes
+ val-log-level: 1
+
+ local-zone: a.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static
+ local-data: "a.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800"
+ local-data: "a.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk."
+
+ local-zone: b.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static
+ local-data: "b.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800"
+ local-data: "b.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk."
+
+ local-zone: c.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static
+ local-data: "c.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800"
+ local-data: "c.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk."
+
+ local-zone: d.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static
+ local-data: "d.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800"
+ local-data: "d.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk."
+
+ local-zone: e.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static
+ local-data: "e.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800"
+ local-data: "e.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk."
+
+ local-zone: f.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static
+ local-data: "f.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800"
+ local-data: "f.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk."
+
+ local-zone: s. static
+ local-zone-tag: s. "local"
+ local-data: "s. IN SOA space.labitat.dk. esmil.labitat.dk. 20171119 3600 1200 604800 10800"
+ local-data: "s. IN NS space.labitat.dk."
+ local-data: "s. IN A 10.42.1.1"
+ local-data: "s. IN AAAA 2a01:4260:1ab::"
+ local-data: "labitrack.s. IN A 185.38.175.70"
+ local-data: "labitrack.s. IN AAAA 2a01:4260:1ab::cafe"
+ local-data: "track.s. IN A 185.38.175.70"
+ local-data: "track.s. IN AAAA 2a01:4260:1ab::cafe"
+ local-data: "ap.s. IN A 10.42.0.2"
+ local-data-ptr: "10.42.0.2 ap.s."
+ local-data: "doorputer.s. IN A 10.42.0.3"
+ local-data-ptr: "10.42.0.3 doorputer.s."
+ local-data: "foodputer.s. IN A 10.42.0.4"
+ local-data-ptr: "10.42.0.4 foodputer.s."
+ local-data: "ap1.s. IN A 10.42.0.5"
+ local-data-ptr: "10.42.0.5 ap1.s."
+ local-data: "ap2.s. IN A 10.42.0.6"
+ local-data-ptr: "10.42.0.6 ap2.s."
+ local-data: "switch.s. IN A 10.42.0.9"
+ local-data-ptr: "10.42.0.9 switch.s."
+ local-data: "lathe.s. IN A 10.42.0.12"
+ local-data-ptr: "10.42.0.12 lathe.s."
+ local-data: "anna.s. IN A 10.42.1.9"
+ local-data-ptr: "10.42.1.9 anna.s."
+ local-data: "printbrother.s. IN A 10.42.1.32"
+ local-data-ptr: "10.42.1.32 printbrother.s."
+ local-data: "infotron.s. IN A 10.42.1.34"
+ local-data-ptr: "10.42.1.34 infotron.s."
+ local-data: "spacemon.s. IN A 10.42.1.35"
+ local-data-ptr: "10.42.1.35 spacemon.s."
+ local-data: "jumbotron.s. IN A 10.42.1.36"
+ local-data-ptr: "10.42.1.36 jumbotron.s."
+ local-data: "hplaserjet.s. IN A 10.42.1.37"
+ local-data-ptr: "10.42.1.37 hplaserjet.s."
+ local-data: "labisound.s. IN A 10.42.1.40"
+ local-data-ptr: "10.42.1.40 labisound.s."
+ local-data: "sound.s. IN A 10.42.1.80"
+ local-data-ptr: "10.42.1.80 sound.s."
+
+remote-control:
+ control-enable: yes
+ control-use-cert: no
+ control-interface: "/run/unbound/control"
diff --git a/roles/space_server/handlers/main.yml b/roles/space_server/handlers/main.yml
index 70e0b85..e8943d3 100644
--- a/roles/space_server/handlers/main.yml
+++ b/roles/space_server/handlers/main.yml
@@ -57,9 +57,9 @@
daemon_reload: yes
when: "'container' not in ansible_env"
-- name: restart named
+- name: restart unbound
systemd:
- name: named.service
+ name: unbound.service
state: restarted
when: "'container' not in ansible_env"
diff --git a/roles/space_server/tasks/main.yml b/roles/space_server/tasks/main.yml
index 6893cbb..bd65b52 100644
--- a/roles/space_server/tasks/main.yml
+++ b/roles/space_server/tasks/main.yml
@@ -35,8 +35,8 @@
- import_tasks: radius.yml
tags: radius
when: radius_passwords is defined
-- import_tasks: named.yml
- tags: named
+- import_tasks: unbound.yml
+ tags: unbound
- import_tasks: avahi.yml
tags: avahi
diff --git a/roles/space_server/tasks/named.yml b/roles/space_server/tasks/named.yml
deleted file mode 100644
index d295058..0000000
--- a/roles/space_server/tasks/named.yml
+++ /dev/null
@@ -1,52 +0,0 @@
----
-- name: Install bind package
- dnf:
- name: bind
- state: latest
- notify:
- - restart named
- tags:
- - packages
-
-- name: Configure named
- copy:
- src: named/named.conf
- dest: '/etc/named.conf'
- mode: 0640
- notify:
- - restart named
-- name: Create s zone
- copy:
- src: named/s.zone
- dest: '/etc/named/s.zone'
- notify:
- - restart named
-
-- name: Create service drop-in directory
- file:
- dest: '/etc/systemd/system/named.service.d'
- state: directory
-- name: Start named after networks are configured
- copy:
- src: wait-online.conf
- dest: '/etc/systemd/system/named.service.d/wait-online.conf'
-
-- name: Enable named service
- systemd:
- name: named.service
- enabled: yes
- masked: no
- state: started
- when: "'container' not in ansible_env"
-- name: '- when in nspawn'
- command: systemctl enable named.service
- args:
- creates: '/etc/systemd/system/multi-user.target.wants/named.service'
- when: "'container' in ansible_env"
-
-- name: Use our own resolver
- copy:
- dest: /etc/resolv.conf
- content: "nameserver 127.0.0.1\nnameserver ::1\n"
-
-# vim: set ts=2 sw=2 et ft=yaml:
diff --git a/roles/space_server/tasks/unbound.yml b/roles/space_server/tasks/unbound.yml
new file mode 100644
index 0000000..42db916
--- /dev/null
+++ b/roles/space_server/tasks/unbound.yml
@@ -0,0 +1,36 @@
+---
+- name: Install unbound package
+ dnf:
+ name: unbound
+ state: latest
+ notify:
+ - restart unbound
+ tags:
+ - packages
+
+- name: Configure unbound
+ copy:
+ src: unbound/unbound.conf
+ dest: '/etc/unbound/unbound.conf'
+ notify:
+ - restart unbound
+
+- name: Enable unbound service
+ systemd:
+ name: unbound.service
+ enabled: yes
+ masked: no
+ state: started
+ when: "'container' not in ansible_env"
+- name: '- when in nspawn'
+ command: systemctl enable unbound.service
+ args:
+ creates: '/etc/systemd/system/multi-user.target.wants/unbound.service'
+ when: "'container' in ansible_env"
+
+- name: Use our own resolver
+ copy:
+ dest: /etc/resolv.conf
+ content: "nameserver 127.0.0.1\nnameserver ::1\n"
+
+# vim: set ts=2 sw=2 et ft=yaml:
--
cgit v1.2.1