From 88756850d1a5cb28b897bdcc9337fcb6977aad0b Mon Sep 17 00:00:00 2001
From: Emil Renner Berthing <esmil@labitat.dk>
Date: Sun, 31 Mar 2019 19:45:52 +0200
Subject: space_server: named: use named instead of unbound
This reverts commit 3b795796bd03488a385f3ad42b10b8c0d61282c1,
"space_server: unbound: use unbound instad of bind".
Unlike unbound, bind supports synthesizing DNS64 answers
only for certain clients, so only requests from the Labitat NAT64
network will get DNS64 answers.
---
roles/space_server/files/named.conf | 103 +++++++++++++++++++++
roles/space_server/handlers/main.yml | 4 +-
roles/space_server/tasks/main.yml | 4 +-
roles/space_server/tasks/named.yml | 55 ++++++++++++
roles/space_server/tasks/unbound.yml | 41 ---------
roles/space_server/templates/s.zone.j2 | 21 +++++
roles/space_server/templates/unbound.conf.j2 | 128 ---------------------------
roles/space_server/vars/main.yml | 3 +-
8 files changed, 184 insertions(+), 175 deletions(-)
create mode 100644 roles/space_server/files/named.conf
create mode 100644 roles/space_server/tasks/named.yml
delete mode 100644 roles/space_server/tasks/unbound.yml
create mode 100644 roles/space_server/templates/s.zone.j2
delete mode 100644 roles/space_server/templates/unbound.conf.j2
(limited to 'roles')
diff --git a/roles/space_server/files/named.conf b/roles/space_server/files/named.conf
new file mode 100644
index 0000000..81c4969
--- /dev/null
+++ b/roles/space_server/files/named.conf
@@ -0,0 +1,103 @@
+//
+// named.conf
+//
+// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
+// server as a caching only nameserver (as a localhost DNS resolver only).
+//
+// See /usr/share/doc/bind*/sample/ for example named configuration files.
+//
+
+options {
+ listen-on port 53 {
+ 127.0.0.1;
+ 185.38.175.0;
+ };
+ listen-on-v6 port 53 {
+ ::1;
+ 2a01:4262:1ab::;
+ };
+ allow-query {
+ 127.0.0.1;
+ 185.38.175.0/24;
+ 10.42.0.0/16;
+ ::1;
+ 2a01:4262:1ab::/48;
+ };
+ dns64 2a01:4262:1ab:0:0:f::/96 {
+ clients { 2a01:4262:1ab:f::/64; };
+ exclude {
+ 2a01:4262:1ab:0:0:f::/96;
+ ::ffff:0:0/96;
+ };
+ };
+ directory "/var/named";
+ dump-file "/var/named/data/cache_dump.db";
+ statistics-file "/var/named/data/named_stats.txt";
+ memstatistics-file "/var/named/data/named_mem_stats.txt";
+ secroots-file "/var/named/data/named.secroots";
+ recursing-file "/var/named/data/named.recursing";
+
+ /*
+ - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
+ - If you are building a RECURSIVE (caching) DNS server, you need to enable
+ recursion.
+ - If your recursive DNS server has a public IP address, you MUST enable access
+ control to limit queries to your legitimate users. Failing to do so will
+ cause your server to become part of large scale DNS amplification
+ attacks. Implementing BCP38 within your network would greatly
+ reduce such attack surface
+ */
+ recursion yes;
+
+ dnssec-enable yes;
+ dnssec-validation yes;
+
+ managed-keys-directory "/var/named/dynamic";
+
+ pid-file "/run/named/named.pid";
+ session-keyfile "/run/named/session.key";
+
+ /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
+ include "/etc/crypto-policies/back-ends/bind.config";
+};
+
+logging {
+ channel default_debug {
+ syslog daemon;
+ severity dynamic;
+ };
+ channel default {
+ syslog daemon;
+ severity info;
+ };
+ category default {
+ default;
+ };
+};
+
+zone "." IN {
+ type hint;
+ file "named.ca";
+};
+
+zone "s" IN {
+ type master;
+ file "/etc/named/s.zone";
+ allow-query {
+ 127.0.0.1;
+ 10.42.0.0/24; # infrastructure
+ 10.42.1.0/24; # member wired
+ 10.42.2.0/24; # member wireless
+ ::1;
+ 2a01:4262:1ab:a::/64; # infrastructure
+ 2a01:4262:1ab:b::/64; # member wired
+ 2a01:4262:1ab:c::/64; # member wireless
+ 2a01:4262:1ab:f::/64; # member nat64
+ };
+ allow-transfer {
+ none;
+ };
+};
+
+include "/etc/named.rfc1912.zones";
+include "/etc/named.root.key";
diff --git a/roles/space_server/handlers/main.yml b/roles/space_server/handlers/main.yml
index 09e0d1d..3a92a46 100644
--- a/roles/space_server/handlers/main.yml
+++ b/roles/space_server/handlers/main.yml
@@ -45,9 +45,9 @@
daemon_reload: yes
when: not chroot
-- name: restart unbound
+- name: restart named
systemd:
- name: unbound.service
+ name: named.service
state: restarted
when: not chroot
diff --git a/roles/space_server/tasks/main.yml b/roles/space_server/tasks/main.yml
index bfa3bc6..374a8b6 100644
--- a/roles/space_server/tasks/main.yml
+++ b/roles/space_server/tasks/main.yml
@@ -28,8 +28,8 @@
- import_tasks: radius.yml
tags: radius
when: radius_passwords is defined
-- import_tasks: unbound.yml
- tags: unbound
+- import_tasks: named.yml
+ tags: named
- import_tasks: tayga.yml
tags: tayga
- import_tasks: avahi.yml
diff --git a/roles/space_server/tasks/named.yml b/roles/space_server/tasks/named.yml
new file mode 100644
index 0000000..143e8f0
--- /dev/null
+++ b/roles/space_server/tasks/named.yml
@@ -0,0 +1,55 @@
+---
+- name: Configure named
+ copy:
+ dest: '/etc/named.conf'
+ src: named.conf
+ owner: root
+ group: named
+ mode: 0640
+ notify:
+ - restart named
+- name: Create s zone
+ template:
+ dest: '/etc/named/s.zone'
+ src: s.zone.j2
+ owner: root
+ group: named
+ mode: 0644
+ notify:
+ - restart named
+
+- name: Create service drop-in directory
+ file:
+ dest: '/etc/systemd/system/named.service.d'
+ state: directory
+ owner: root
+ group: root
+ mode: 0755
+- name: Start named after networks are configured
+ copy:
+ dest: '/etc/systemd/system/named.service.d/wait-online.conf'
+ src: wait-online.conf
+ owner: root
+ group: root
+ mode: 0644
+
+- name: Enable named service
+ systemd:
+ name: named.service
+ enabled: yes
+ masked: no
+ state: started
+ when: not chroot
+- name: '- when in nspawn'
+ command: systemctl enable named.service
+ when: chroot
+
+- name: Use our own resolver
+ copy:
+ dest: /etc/resolv.conf
+ content: "nameserver 127.0.0.1\nnameserver ::1\noptions edns0\n"
+ owner: root
+ group: root
+ mode: 0644
+
+# vim: set ts=2 sw=2 et ft=yaml:
diff --git a/roles/space_server/tasks/unbound.yml b/roles/space_server/tasks/unbound.yml
deleted file mode 100644
index 0de4c78..0000000
--- a/roles/space_server/tasks/unbound.yml
+++ /dev/null
@@ -1,41 +0,0 @@
----
-- name: Create /etc/resolv.conf
- copy:
- dest: '/etc/resolv.conf'
- src: resolv.conf
- owner: root
- group: root
- mode: 0644
-
-- name: Configure unbound
- template:
- dest: '/etc/unbound/unbound.conf'
- src: unbound.conf.j2
- owner: root
- group: root
- mode: 0644
- notify:
- - restart unbound
-
-- name: Enable unbound service
- systemd:
- name: unbound.service
- enabled: yes
- masked: no
- state: started
- when: not chroot
-- name: '- when in chroot'
- command: systemctl enable unbound.service
- args:
- creates: '/etc/systemd/system/multi-user.target.wants/unbound.service'
- when: chroot
-
-- name: Use our own resolver
- copy:
- dest: '/etc/resolv.conf'
- content: "nameserver 127.0.0.1\nnameserver ::1\n"
- owner: root
- group: root
- mode: 0644
-
-# vim: set ts=2 sw=2 et:
diff --git a/roles/space_server/templates/s.zone.j2 b/roles/space_server/templates/s.zone.j2
new file mode 100644
index 0000000..6bf9718
--- /dev/null
+++ b/roles/space_server/templates/s.zone.j2
@@ -0,0 +1,21 @@
+s. 600 IN SOA space.labitat.dk. esmil.labitat.dk. 2019040101 7200 3600 604800 86400
+s. 600 IN NS space.labitat.dk.
+
+s. 600 IN A 10.42.1.1
+s. 600 IN AAAA 2a01:4260:1ab::
+
+labitrack.s. 600 IN A 185.38.175.70
+labitrack.s. 600 IN AAAA 2a01:4262:1ab::cafe
+track.s. 600 IN A 185.38.175.70
+track.s. 600 IN AAAA 2a01:4262:1ab::cafe
+{% for host in local_hosts %}
+
+{% if 'ips' in host and host.ips|length > 0 %}
+{% for ip in host.ips|ipv4 %}
+{{ host.name }}.s. 600 IN A {{ ip }}
+{% endfor %}
+{% for ip in host.ips|ipv6 %}
+{{ host.name }}.s. 600 IN AAAA {{ ip }}
+{% endfor %}
+{% endif %}
+{% endfor %}
diff --git a/roles/space_server/templates/unbound.conf.j2 b/roles/space_server/templates/unbound.conf.j2
deleted file mode 100644
index 26b7006..0000000
--- a/roles/space_server/templates/unbound.conf.j2
+++ /dev/null
@@ -1,128 +0,0 @@
-server:
- pidfile: "/run/unbound/unbound.pid"
- verbosity: 1
- statistics-interval: 0
- statistics-cumulative: no
- extended-statistics: yes
- num-threads: 1
-
- define-tag: "local"
-
- interface: 127.0.0.1
- interface: ::1
- interface: 185.38.175.0
- interface: 2a01:4262:1ab::
-
- outgoing-interface: 185.38.175.0
- outgoing-interface: 2a01:4262:1ab::
- outgoing-port-permit: 32768-60999
- outgoing-port-avoid: 0-32767
-
- so-reuseport: yes
- ip-transparent: yes
- max-udp-size: 3072
-
- access-control-tag: 127.0.0.1/32 "local"
- access-control-tag: ::1/128 "local"
-
- access-control: 185.38.175.0/24 allow
- access-control: 10.42.0.0/16 allow
- access-control-tag: 10.42.0.0/24 "local"
- access-control-tag: 10.42.1.0/24 "local"
- access-control-tag: 10.42.2.0/24 "local"
- # not free wifi 10.42.3.0/24
- access-control-tag: 10.42.4.0/24 "local"
- access-control-tag: 10.42.5.0/24 "local"
- access-control: 2a01:4262:1ab::/48 allow
- access-control-tag: 2a01:4262:1ab:a::/64 "local"
- access-control-tag: 2a01:4262:1ab:b::/64 "local"
- access-control-tag: 2a01:4262:1ab:c::/64 "local"
- # not free wifi 2a01:4262:1ab:d::/64
- access-control-tag: 2a01:4262:1ab:e::/64 "local"
- access-control-tag: 2a01:4262:1ab:f::/64 "local"
-
- chroot: ""
- username: "unbound"
- directory: "/etc/unbound"
-
- use-syslog: yes
- log-time-ascii: yes
-
- harden-glue: yes
- harden-dnssec-stripped: yes
- harden-below-nxdomain: yes
- harden-referral-path: yes
- qname-minimisation: yes
-
- prefetch: yes
- prefetch-key: yes
- rrset-roundrobin: yes
- minimal-responses: yes
-
- module-config: "dns64 validator iterator"
-
- dns64-prefix: 2a01:4262:1ab:0:0:f::/96
-
- trust-anchor-signaling: yes
-
- trusted-keys-file: /etc/unbound/keys.d/*.key
- auto-trust-anchor-file: "/var/lib/unbound/root.key"
-
- val-clean-additional: yes
- val-permissive-mode: no
- serve-expired: yes
- val-log-level: 1
-
- local-zone: a.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static
- local-data: "a.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800"
- local-data: "a.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk."
-
- local-zone: b.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static
- local-data: "b.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800"
- local-data: "b.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk."
-
- local-zone: c.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static
- local-data: "c.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800"
- local-data: "c.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk."
-
- local-zone: d.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static
- local-data: "d.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800"
- local-data: "d.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk."
-
- local-zone: e.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static
- local-data: "e.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800"
- local-data: "e.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk."
-
- local-zone: f.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static
- local-data: "f.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800"
- local-data: "f.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk."
-
- local-zone: s. static
- local-zone-tag: s. "local"
- local-data: "s. IN SOA space.labitat.dk. esmil.labitat.dk. 20171119 3600 1200 604800 10800"
- local-data: "s. IN NS space.labitat.dk."
- local-data: "s. IN A 10.42.1.1"
- local-data: "s. IN AAAA 2a01:4262:1ab::"
- local-data: "labitrack.s. IN A 185.38.175.70"
- local-data: "labitrack.s. IN AAAA 2a01:4262:1ab::cafe"
- local-data: "track.s. IN A 185.38.175.70"
- local-data: "track.s. IN AAAA 2a01:4262:1ab::cafe"
-{% for host in local_hosts %}
-{% for ip in host.ips | ipv4 %}
-{% if loop.index <= 1 %}
- local-data: "{{ host.name }}.s. IN A {{ ip }}"
- local-data-ptr: "{{ ip }} {{ host.name }}.s."
-{% endif %}
-{% endfor %}
-{% for ip in host.ips | ipv6 %}
-{% if loop.index <= 1 %}
- local-data: "{{ host.name }}.s. IN AAAA {{ ip }}"
- local-data-ptr: "{{ ip }} {{ host.name }}.s."
-{% endif %}
-{% endfor %}
-{% endfor %}
-
-remote-control:
- control-enable: yes
- control-use-cert: no
- control-interface: "/run/unbound/control"
diff --git a/roles/space_server/vars/main.yml b/roles/space_server/vars/main.yml
index 40f4251..1914374 100644
--- a/roles/space_server/vars/main.yml
+++ b/roles/space_server/vars/main.yml
@@ -36,8 +36,7 @@ dnf_packages:
'freeradius-python': present # pulls in radiusd
'curl': present
'diffutils': present
- 'policycoreutils': present # needed for unbound-keygen.service
- 'unbound': present
+ 'bind': present
'tayga': present
'avahi-tools': present # pulls in avahi package
'nss-mdns': present
--
cgit v1.2.1