dhcpd, dns_intern: provide dynamic dns entries

clients in the 172.23.3.0/24 subnet are now provided with dynamic dns
entries in the users.binary.kitchen domain - forward entries only
This commit is contained in:
Markus 2021-05-16 18:35:29 +02:00
parent e0a5d012ee
commit e8dcf169e2
9 changed files with 138 additions and 40 deletions

View File

@ -4,6 +4,9 @@ dhcpd_failover: true
dhcpd_primary: 172.23.2.3 dhcpd_primary: 172.23.2.3
dhcpd_secondary: 172.23.2.4 dhcpd_secondary: 172.23.2.4
dns_primary: 172.23.2.3
dns_secondary: 172.23.2.4
name_servers: name_servers:
- 172.23.2.3 - 172.23.2.3
- 172.23.2.4 - 172.23.2.4

View File

@ -3,13 +3,15 @@
# option definitions common to all supported networks... # option definitions common to all supported networks...
option domain-name "binary.kitchen"; option domain-name "binary.kitchen";
option domain-name-servers {{ name_servers | join(', ') }}; option domain-name-servers {{ name_servers | join(', ') }};
option domain-search "binary.kitchen";
option ntp-servers 172.23.1.60, 172.23.2.3; option ntp-servers 172.23.1.60, 172.23.2.3;
default-lease-time 7200; default-lease-time 7200;
max-lease-time 28800; max-lease-time 28800;
# Use this to enble / disable dynamic dns updates globally. # Use this to enble / disable dynamic dns updates globally.
ddns-update-style none; ddns-update-style interim;
ddns-updates on;
# If this DHCP server is the official DHCP server for the local # If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented. # network, the authoritative directive should be uncommented.
@ -61,6 +63,8 @@ subnet 172.23.2.0 netmask 255.255.255.0 {
# Users # Users
subnet 172.23.3.0 netmask 255.255.255.0 { subnet 172.23.3.0 netmask 255.255.255.0 {
option routers 172.23.3.1; option routers 172.23.3.1;
ddns-domainname "users.binary.kitchen";
option domain-search "binary.kitchen", "users.binary.kitchen";
pool { pool {
{% if dhcpd_failover == true %} {% if dhcpd_failover == true %}
failover peer "failover-partner"; failover peer "failover-partner";
@ -80,6 +84,12 @@ subnet 172.23.4.0 netmask 255.255.255.0 {
} }
} }
# DDNS zones
zone users.binary.kitchen {
primary {{ dns_primary }};
}
# Fixed IPs # Fixed IPs

View File

@ -5,3 +5,6 @@
with_items: with_items:
- pdns - pdns
- pdns-recursor - pdns-recursor
- name: Restart dnsdist
service: name=dnsdist state=restarted

View File

@ -3,6 +3,7 @@
- name: Install powerdns - name: Install powerdns
apt: apt:
name: name:
- dnsdist
- pdns-server - pdns-server
- pdns-recursor - pdns-recursor
@ -19,8 +20,19 @@
- bind/23.172.in-addr.arpa.zone - bind/23.172.in-addr.arpa.zone
- bind/binary.kitchen.zone - bind/binary.kitchen.zone
# TODO
# Initialize zone users.binary.kitchen using pdnsutil or SQL on the master
# TODO
# Initialize zone users.binary.kitchen using "pdnsutil create-slave-zone users.binary.kitchen 172.23.2.3" on the slave
- name: Configure dnsdist
template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
notify: Restart dnsdist
- name: Start the powerdns services - name: Start the powerdns services
service: name={{ item }} state=started enabled=yes service: name={{ item }} state=started enabled=yes
with_items: with_items:
- dnsdist
- pdns - pdns
- pdns-recursor - pdns-recursor

View File

@ -1,13 +1,14 @@
$ORIGIN 23.172.in-addr.arpa. ; base for unqualified names $ORIGIN 23.172.in-addr.arpa. ; base for unqualified names
$TTL 1h ; default time-to-live $TTL 1h ; default time-to-live
@ IN SOA ns.binary.kitchen. hostmaster.binary.kitchen. ( @ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
2021050801; serial 2021051601; serial
1d; refresh 1d; refresh
2h; retry 2h; retry
4w; expire 4w; expire
1h; minimum time-to-live 1h; minimum time-to-live
) )
IN NS ns.binary.kitchen. IN NS ns1.binary.kitchen.
IN NS ns2.binary.kitchen.
; Loopback ; Loopback
1.0 IN PTR core.binary.kitchen. 1.0 IN PTR core.binary.kitchen.
2.0 IN PTR erx-bk.binary.kitchen. 2.0 IN PTR erx-bk.binary.kitchen.
@ -36,7 +37,6 @@ $TTL 1h ; default time-to-live
102.1 IN PTR nbe-tr8.binary.kitchen. 102.1 IN PTR nbe-tr8.binary.kitchen.
; Services ; Services
1.2 IN PTR v2302.core.binary.kitchen. 1.2 IN PTR v2302.core.binary.kitchen.
2.2 IN PTR ns.binary.kitchen.
3.2 IN PTR bacon.binary.kitchen. 3.2 IN PTR bacon.binary.kitchen.
4.2 IN PTR aveta.binary.kitchen. 4.2 IN PTR aveta.binary.kitchen.
5.2 IN PTR sulis.binary.kitchen. 5.2 IN PTR sulis.binary.kitchen.

View File

@ -1,13 +1,17 @@
$ORIGIN binary.kitchen ; base for unqualified names $ORIGIN binary.kitchen ; base for unqualified names
$TTL 1h ; default time-to-live $TTL 1h ; default time-to-live
@ IN SOA ns.binary.kitchen. hostmaster.binary.kitchen. ( @ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
2021050801; serial 2021051601; serial
1d; refresh 1d; refresh
2h; retry 2h; retry
4w; expire 4w; expire
1h; minimum time-to-live 1h; minimum time-to-live
) )
IN NS ns.binary.kitchen. IN NS ns1.binary.kitchen.
IN NS ns2.binary.kitchen.
; Subdomains
users IN NS ns1.binary.kitchen.
users IN NS ns2.binary.kitchen.
; External ; External
IN A 213.166.246.4 IN A 213.166.246.4
www IN A 213.166.246.4 www IN A 213.166.246.4
@ -21,6 +25,8 @@ ldap1 IN A 172.23.2.3
ldap2 IN A 172.23.2.4 ldap2 IN A 172.23.2.4
ldapm IN A 213.166.246.2 ldapm IN A 213.166.246.2
librenms IN A 172.23.2.6 librenms IN A 172.23.2.6
ns1 IN A 172.23.2.3
ns2 IN A 172.23.2.4
racktables IN A 172.23.2.6 racktables IN A 172.23.2.6
radius IN A 172.23.2.3 radius IN A 172.23.2.3
radius IN A 172.23.2.4 radius IN A 172.23.2.4
@ -52,7 +58,6 @@ nbe-w13b IN A 172.23.1.101
nbe-tr8 IN A 172.23.1.102 nbe-tr8 IN A 172.23.1.102
; Services ; Services
v2302.core IN A 172.23.2.1 v2302.core IN A 172.23.2.1
ns IN A 172.23.2.2
bacon IN A 172.23.2.3 bacon IN A 172.23.2.3
aveta IN A 172.23.2.4 aveta IN A 172.23.2.4
sulis IN A 172.23.2.5 sulis IN A 172.23.2.5
@ -77,8 +82,6 @@ garlic IN A 172.23.3.243
mirror IN A 172.23.3.244 mirror IN A 172.23.3.244
spaghetti IN A 172.23.3.245 spaghetti IN A 172.23.3.245
maccaroni IN A 172.23.3.246 maccaroni IN A 172.23.3.246
pve02-bmc.tmp IN A 172.23.3.247
pve02.tmp IN A 172.23.3.248
ffrgb IN A 172.23.3.249 ffrgb IN A 172.23.3.249
cannelloni IN A 172.23.3.250 cannelloni IN A 172.23.3.250
noodlehub IN A 172.23.3.251 noodlehub IN A 172.23.3.251

View File

@ -0,0 +1,25 @@
-- {{ ansible_managed }}
setLocal('127.0.0.1')
addLocal('::1')
addLocal('{{ ansible_default_ipv4.address }}')
-- define downstream servers/pools
newServer({address='127.0.0.1:5300', pool='authdns'})
newServer({address='127.0.0.1:5353', pool='resolve'})
-- allow AXFR/IXFR only from slaves
addAction(AndRule({OrRule({QTypeRule(dnsdist.AXFR), QTypeRule(dnsdist.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(dnsdist.REFUSED))
-- allow NOTIFY only from master
addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(dnsdist.REFUSED))
-- use auth servers for own zones
addAction('binary.kitchen', PoolAction('authdns'))
addAction('23.172.in-addr.arpa', PoolAction('authdns'))
-- use resolver for anything else
addAction(AllRule(), PoolAction('resolve'))
-- disable security status polling via DNS
setSecurityPollSuffix('')

View File

@ -1,10 +1,24 @@
# {{ ansible_managed }} # {{ ansible_managed }}
{% if ansible_default_ipv4.address == dns_primary %}
#################################
# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges.
#
# allow-dnsupdate-from=127.0.0.0/8,::1
allow-dnsupdate-from=127.0.0.0/8,::1,{{ dhcpd_primary }},{{ dhcpd_secondary }}
#################################
# dnsupdate Enable/Disable DNS update (RFC2136) support. Default is no.
#
# dnsupdate=no
dnsupdate=yes
{% endif %}
################################# #################################
# launch Which backends to launch and order to query them in # launch Which backends to launch and order to query them in
# #
# launch= # launch=
launch=bind launch=bind,gsqlite3
################################# #################################
# local-address Local IP addresses to which we bind # local-address Local IP addresses to which we bind
@ -24,6 +38,20 @@ local-ipv6=
# local-port=53 # local-port=53
local-port=5300 local-port=5300
{% if ansible_default_ipv4.address == dns_primary %}
#################################
# master Act as a master
#
# master=no
master=yes
#################################
# only-notify Only send AXFR NOTIFY to these IP addresses or netmasks
#
# only-notify=0.0.0.0/0,::/0
only-notify={{ dns_secondary }}
{% endif %}
################################# #################################
# security-poll-suffix Domain name from which to query security update notifications # security-poll-suffix Domain name from which to query security update notifications
# #
@ -40,7 +68,27 @@ setgid=pdns
# #
setuid=pdns setuid=pdns
{% if ansible_default_ipv4.address == dns_secondary %}
################################# #################################
# bind-config Location of the Bind configuration file to parse. # slave Act as a slave
#
# slave=no
slave=yes
#################################
# trusted-notification-proxy IP address of incoming notification proxy
#
# trusted-notification-proxy=
trusted-notification-proxy=127.0.0.1,::1
{% endif %}
#################################
# bind-config Location of named.conf
# #
bind-config=/etc/powerdns/bindbackend.conf bind-config=/etc/powerdns/bindbackend.conf
#################################
# gsqlite3-database Filename of the SQLite3 database
#
# gsqlite3-database=
gsqlite3-database=/var/lib/powerdns/pdns.sqlite3

View File

@ -3,7 +3,7 @@
################################# #################################
# allow-from If set, only allow these comma separated netmasks to recurse # allow-from If set, only allow these comma separated netmasks to recurse
# #
#allow-from=127.0.0.0/8 # allow-from=127.0.0.0/8
################################# #################################
# config-dir Location of configuration directory (recursor.conf) # config-dir Location of configuration directory (recursor.conf)
@ -16,24 +16,18 @@ config-dir=/etc/powerdns
# dnssec=process-no-validate # dnssec=process-no-validate
dnssec=off dnssec=off
#################################
# forward-zones Zones for which we forward queries, comma separated domain=ip pairs
#
# forward-zones=
forward-zones=binary.kitchen=127.0.0.1:5300,23.172.in-addr.arpa=127.0.0.1:5300
################################# #################################
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports. # local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
# #
local-address=127.0.0.1,{{ ansible_default_ipv4.address }} local-address=127.0.0.1
################################# #################################
# local-port port to listen on # local-port port to listen on
# #
local-port=53 local-port=5353
################################# #################################
# query-local-address6 Send out local IPv6 queries from this address or addresses. Disabled by default, which also disables outgoing # query-local-address6 Source IPv6 address for sending queries. IF UNSET, IPv6 WILL NOT BE USED FOR OUTGOING QUERIES
# #
{% if global_ipv6 is defined %} {% if global_ipv6 is defined %}
query-local-address6={{ global_ipv6 | ipaddr('address') }} query-local-address6={{ global_ipv6 | ipaddr('address') }}