From 88756850d1a5cb28b897bdcc9337fcb6977aad0b Mon Sep 17 00:00:00 2001 From: Emil Renner Berthing Date: Sun, 31 Mar 2019 19:45:52 +0200 Subject: space_server: named: use named instead of unbound This reverts commit 3b795796bd03488a385f3ad42b10b8c0d61282c1, "space_server: unbound: use unbound instad of bind". Unlike unbound, bind supports synthesizing DNS64 answers only for certain clients, so only requests from the Labitat NAT64 network will get DNS64 answers. --- roles/space_server/files/named.conf | 103 +++++++++++++++++++++ roles/space_server/handlers/main.yml | 4 +- roles/space_server/tasks/main.yml | 4 +- roles/space_server/tasks/named.yml | 55 ++++++++++++ roles/space_server/tasks/unbound.yml | 41 --------- roles/space_server/templates/s.zone.j2 | 21 +++++ roles/space_server/templates/unbound.conf.j2 | 128 --------------------------- roles/space_server/vars/main.yml | 3 +- 8 files changed, 184 insertions(+), 175 deletions(-) create mode 100644 roles/space_server/files/named.conf create mode 100644 roles/space_server/tasks/named.yml delete mode 100644 roles/space_server/tasks/unbound.yml create mode 100644 roles/space_server/templates/s.zone.j2 delete mode 100644 roles/space_server/templates/unbound.conf.j2 (limited to 'roles') diff --git a/roles/space_server/files/named.conf b/roles/space_server/files/named.conf new file mode 100644 index 0000000..81c4969 --- /dev/null +++ b/roles/space_server/files/named.conf @@ -0,0 +1,103 @@ +// +// named.conf +// +// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS +// server as a caching only nameserver (as a localhost DNS resolver only). +// +// See /usr/share/doc/bind*/sample/ for example named configuration files. +// + +options { + listen-on port 53 { + 127.0.0.1; + 185.38.175.0; + }; + listen-on-v6 port 53 { + ::1; + 2a01:4262:1ab::; + }; + allow-query { + 127.0.0.1; + 185.38.175.0/24; + 10.42.0.0/16; + ::1; + 2a01:4262:1ab::/48; + }; + dns64 2a01:4262:1ab:0:0:f::/96 { + clients { 2a01:4262:1ab:f::/64; }; + exclude { + 2a01:4262:1ab:0:0:f::/96; + ::ffff:0:0/96; + }; + }; + directory "/var/named"; + dump-file "/var/named/data/cache_dump.db"; + statistics-file "/var/named/data/named_stats.txt"; + memstatistics-file "/var/named/data/named_mem_stats.txt"; + secroots-file "/var/named/data/named.secroots"; + recursing-file "/var/named/data/named.recursing"; + + /* + - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. + - If you are building a RECURSIVE (caching) DNS server, you need to enable + recursion. + - If your recursive DNS server has a public IP address, you MUST enable access + control to limit queries to your legitimate users. Failing to do so will + cause your server to become part of large scale DNS amplification + attacks. Implementing BCP38 within your network would greatly + reduce such attack surface + */ + recursion yes; + + dnssec-enable yes; + dnssec-validation yes; + + managed-keys-directory "/var/named/dynamic"; + + pid-file "/run/named/named.pid"; + session-keyfile "/run/named/session.key"; + + /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ + include "/etc/crypto-policies/back-ends/bind.config"; +}; + +logging { + channel default_debug { + syslog daemon; + severity dynamic; + }; + channel default { + syslog daemon; + severity info; + }; + category default { + default; + }; +}; + +zone "." IN { + type hint; + file "named.ca"; +}; + +zone "s" IN { + type master; + file "/etc/named/s.zone"; + allow-query { + 127.0.0.1; + 10.42.0.0/24; # infrastructure + 10.42.1.0/24; # member wired + 10.42.2.0/24; # member wireless + ::1; + 2a01:4262:1ab:a::/64; # infrastructure + 2a01:4262:1ab:b::/64; # member wired + 2a01:4262:1ab:c::/64; # member wireless + 2a01:4262:1ab:f::/64; # member nat64 + }; + allow-transfer { + none; + }; +}; + +include "/etc/named.rfc1912.zones"; +include "/etc/named.root.key"; diff --git a/roles/space_server/handlers/main.yml b/roles/space_server/handlers/main.yml index 09e0d1d..3a92a46 100644 --- a/roles/space_server/handlers/main.yml +++ b/roles/space_server/handlers/main.yml @@ -45,9 +45,9 @@ daemon_reload: yes when: not chroot -- name: restart unbound +- name: restart named systemd: - name: unbound.service + name: named.service state: restarted when: not chroot diff --git a/roles/space_server/tasks/main.yml b/roles/space_server/tasks/main.yml index bfa3bc6..374a8b6 100644 --- a/roles/space_server/tasks/main.yml +++ b/roles/space_server/tasks/main.yml @@ -28,8 +28,8 @@ - import_tasks: radius.yml tags: radius when: radius_passwords is defined -- import_tasks: unbound.yml - tags: unbound +- import_tasks: named.yml + tags: named - import_tasks: tayga.yml tags: tayga - import_tasks: avahi.yml diff --git a/roles/space_server/tasks/named.yml b/roles/space_server/tasks/named.yml new file mode 100644 index 0000000..143e8f0 --- /dev/null +++ b/roles/space_server/tasks/named.yml @@ -0,0 +1,55 @@ +--- +- name: Configure named + copy: + dest: '/etc/named.conf' + src: named.conf + owner: root + group: named + mode: 0640 + notify: + - restart named +- name: Create s zone + template: + dest: '/etc/named/s.zone' + src: s.zone.j2 + owner: root + group: named + mode: 0644 + notify: + - restart named + +- name: Create service drop-in directory + file: + dest: '/etc/systemd/system/named.service.d' + state: directory + owner: root + group: root + mode: 0755 +- name: Start named after networks are configured + copy: + dest: '/etc/systemd/system/named.service.d/wait-online.conf' + src: wait-online.conf + owner: root + group: root + mode: 0644 + +- name: Enable named service + systemd: + name: named.service + enabled: yes + masked: no + state: started + when: not chroot +- name: '- when in nspawn' + command: systemctl enable named.service + when: chroot + +- name: Use our own resolver + copy: + dest: /etc/resolv.conf + content: "nameserver 127.0.0.1\nnameserver ::1\noptions edns0\n" + owner: root + group: root + mode: 0644 + +# vim: set ts=2 sw=2 et ft=yaml: diff --git a/roles/space_server/tasks/unbound.yml b/roles/space_server/tasks/unbound.yml deleted file mode 100644 index 0de4c78..0000000 --- a/roles/space_server/tasks/unbound.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -- name: Create /etc/resolv.conf - copy: - dest: '/etc/resolv.conf' - src: resolv.conf - owner: root - group: root - mode: 0644 - -- name: Configure unbound - template: - dest: '/etc/unbound/unbound.conf' - src: unbound.conf.j2 - owner: root - group: root - mode: 0644 - notify: - - restart unbound - -- name: Enable unbound service - systemd: - name: unbound.service - enabled: yes - masked: no - state: started - when: not chroot -- name: '- when in chroot' - command: systemctl enable unbound.service - args: - creates: '/etc/systemd/system/multi-user.target.wants/unbound.service' - when: chroot - -- name: Use our own resolver - copy: - dest: '/etc/resolv.conf' - content: "nameserver 127.0.0.1\nnameserver ::1\n" - owner: root - group: root - mode: 0644 - -# vim: set ts=2 sw=2 et: diff --git a/roles/space_server/templates/s.zone.j2 b/roles/space_server/templates/s.zone.j2 new file mode 100644 index 0000000..6bf9718 --- /dev/null +++ b/roles/space_server/templates/s.zone.j2 @@ -0,0 +1,21 @@ +s. 600 IN SOA space.labitat.dk. esmil.labitat.dk. 2019040101 7200 3600 604800 86400 +s. 600 IN NS space.labitat.dk. + +s. 600 IN A 10.42.1.1 +s. 600 IN AAAA 2a01:4260:1ab:: + +labitrack.s. 600 IN A 185.38.175.70 +labitrack.s. 600 IN AAAA 2a01:4262:1ab::cafe +track.s. 600 IN A 185.38.175.70 +track.s. 600 IN AAAA 2a01:4262:1ab::cafe +{% for host in local_hosts %} + +{% if 'ips' in host and host.ips|length > 0 %} +{% for ip in host.ips|ipv4 %} +{{ host.name }}.s. 600 IN A {{ ip }} +{% endfor %} +{% for ip in host.ips|ipv6 %} +{{ host.name }}.s. 600 IN AAAA {{ ip }} +{% endfor %} +{% endif %} +{% endfor %} diff --git a/roles/space_server/templates/unbound.conf.j2 b/roles/space_server/templates/unbound.conf.j2 deleted file mode 100644 index 26b7006..0000000 --- a/roles/space_server/templates/unbound.conf.j2 +++ /dev/null @@ -1,128 +0,0 @@ -server: - pidfile: "/run/unbound/unbound.pid" - verbosity: 1 - statistics-interval: 0 - statistics-cumulative: no - extended-statistics: yes - num-threads: 1 - - define-tag: "local" - - interface: 127.0.0.1 - interface: ::1 - interface: 185.38.175.0 - interface: 2a01:4262:1ab:: - - outgoing-interface: 185.38.175.0 - outgoing-interface: 2a01:4262:1ab:: - outgoing-port-permit: 32768-60999 - outgoing-port-avoid: 0-32767 - - so-reuseport: yes - ip-transparent: yes - max-udp-size: 3072 - - access-control-tag: 127.0.0.1/32 "local" - access-control-tag: ::1/128 "local" - - access-control: 185.38.175.0/24 allow - access-control: 10.42.0.0/16 allow - access-control-tag: 10.42.0.0/24 "local" - access-control-tag: 10.42.1.0/24 "local" - access-control-tag: 10.42.2.0/24 "local" - # not free wifi 10.42.3.0/24 - access-control-tag: 10.42.4.0/24 "local" - access-control-tag: 10.42.5.0/24 "local" - access-control: 2a01:4262:1ab::/48 allow - access-control-tag: 2a01:4262:1ab:a::/64 "local" - access-control-tag: 2a01:4262:1ab:b::/64 "local" - access-control-tag: 2a01:4262:1ab:c::/64 "local" - # not free wifi 2a01:4262:1ab:d::/64 - access-control-tag: 2a01:4262:1ab:e::/64 "local" - access-control-tag: 2a01:4262:1ab:f::/64 "local" - - chroot: "" - username: "unbound" - directory: "/etc/unbound" - - use-syslog: yes - log-time-ascii: yes - - harden-glue: yes - harden-dnssec-stripped: yes - harden-below-nxdomain: yes - harden-referral-path: yes - qname-minimisation: yes - - prefetch: yes - prefetch-key: yes - rrset-roundrobin: yes - minimal-responses: yes - - module-config: "dns64 validator iterator" - - dns64-prefix: 2a01:4262:1ab:0:0:f::/96 - - trust-anchor-signaling: yes - - trusted-keys-file: /etc/unbound/keys.d/*.key - auto-trust-anchor-file: "/var/lib/unbound/root.key" - - val-clean-additional: yes - val-permissive-mode: no - serve-expired: yes - val-log-level: 1 - - local-zone: a.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static - local-data: "a.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" - local-data: "a.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." - - local-zone: b.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static - local-data: "b.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" - local-data: "b.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." - - local-zone: c.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static - local-data: "c.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" - local-data: "c.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." - - local-zone: d.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static - local-data: "d.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" - local-data: "d.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." - - local-zone: e.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static - local-data: "e.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" - local-data: "e.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." - - local-zone: f.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static - local-data: "f.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" - local-data: "f.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." - - local-zone: s. static - local-zone-tag: s. "local" - local-data: "s. IN SOA space.labitat.dk. esmil.labitat.dk. 20171119 3600 1200 604800 10800" - local-data: "s. IN NS space.labitat.dk." - local-data: "s. IN A 10.42.1.1" - local-data: "s. IN AAAA 2a01:4262:1ab::" - local-data: "labitrack.s. IN A 185.38.175.70" - local-data: "labitrack.s. IN AAAA 2a01:4262:1ab::cafe" - local-data: "track.s. IN A 185.38.175.70" - local-data: "track.s. IN AAAA 2a01:4262:1ab::cafe" -{% for host in local_hosts %} -{% for ip in host.ips | ipv4 %} -{% if loop.index <= 1 %} - local-data: "{{ host.name }}.s. IN A {{ ip }}" - local-data-ptr: "{{ ip }} {{ host.name }}.s." -{% endif %} -{% endfor %} -{% for ip in host.ips | ipv6 %} -{% if loop.index <= 1 %} - local-data: "{{ host.name }}.s. IN AAAA {{ ip }}" - local-data-ptr: "{{ ip }} {{ host.name }}.s." -{% endif %} -{% endfor %} -{% endfor %} - -remote-control: - control-enable: yes - control-use-cert: no - control-interface: "/run/unbound/control" diff --git a/roles/space_server/vars/main.yml b/roles/space_server/vars/main.yml index 40f4251..1914374 100644 --- a/roles/space_server/vars/main.yml +++ b/roles/space_server/vars/main.yml @@ -36,8 +36,7 @@ dnf_packages: 'freeradius-python': present # pulls in radiusd 'curl': present 'diffutils': present - 'policycoreutils': present # needed for unbound-keygen.service - 'unbound': present + 'bind': present 'tayga': present 'avahi-tools': present # pulls in avahi package 'nss-mdns': present -- cgit v1.2.1