forked from infra/ansible
dhcpd, dns_intern: provide dynamic dns entries
clients in the 172.23.3.0/24 subnet are now provided with dynamic dns entries in the users.binary.kitchen domain - forward entries only
This commit is contained in:
parent
e0a5d012ee
commit
e8dcf169e2
@ -4,6 +4,9 @@ dhcpd_failover: true
|
|||||||
dhcpd_primary: 172.23.2.3
|
dhcpd_primary: 172.23.2.3
|
||||||
dhcpd_secondary: 172.23.2.4
|
dhcpd_secondary: 172.23.2.4
|
||||||
|
|
||||||
|
dns_primary: 172.23.2.3
|
||||||
|
dns_secondary: 172.23.2.4
|
||||||
|
|
||||||
name_servers:
|
name_servers:
|
||||||
- 172.23.2.3
|
- 172.23.2.3
|
||||||
- 172.23.2.4
|
- 172.23.2.4
|
||||||
|
@ -3,13 +3,15 @@
|
|||||||
# option definitions common to all supported networks...
|
# option definitions common to all supported networks...
|
||||||
option domain-name "binary.kitchen";
|
option domain-name "binary.kitchen";
|
||||||
option domain-name-servers {{ name_servers | join(', ') }};
|
option domain-name-servers {{ name_servers | join(', ') }};
|
||||||
|
option domain-search "binary.kitchen";
|
||||||
option ntp-servers 172.23.1.60, 172.23.2.3;
|
option ntp-servers 172.23.1.60, 172.23.2.3;
|
||||||
|
|
||||||
default-lease-time 7200;
|
default-lease-time 7200;
|
||||||
max-lease-time 28800;
|
max-lease-time 28800;
|
||||||
|
|
||||||
# Use this to enble / disable dynamic dns updates globally.
|
# Use this to enble / disable dynamic dns updates globally.
|
||||||
ddns-update-style none;
|
ddns-update-style interim;
|
||||||
|
ddns-updates on;
|
||||||
|
|
||||||
# If this DHCP server is the official DHCP server for the local
|
# If this DHCP server is the official DHCP server for the local
|
||||||
# network, the authoritative directive should be uncommented.
|
# network, the authoritative directive should be uncommented.
|
||||||
@ -61,6 +63,8 @@ subnet 172.23.2.0 netmask 255.255.255.0 {
|
|||||||
# Users
|
# Users
|
||||||
subnet 172.23.3.0 netmask 255.255.255.0 {
|
subnet 172.23.3.0 netmask 255.255.255.0 {
|
||||||
option routers 172.23.3.1;
|
option routers 172.23.3.1;
|
||||||
|
ddns-domainname "users.binary.kitchen";
|
||||||
|
option domain-search "binary.kitchen", "users.binary.kitchen";
|
||||||
pool {
|
pool {
|
||||||
{% if dhcpd_failover == true %}
|
{% if dhcpd_failover == true %}
|
||||||
failover peer "failover-partner";
|
failover peer "failover-partner";
|
||||||
@ -80,6 +84,12 @@ subnet 172.23.4.0 netmask 255.255.255.0 {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# DDNS zones
|
||||||
|
|
||||||
|
zone users.binary.kitchen {
|
||||||
|
primary {{ dns_primary }};
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
# Fixed IPs
|
# Fixed IPs
|
||||||
|
|
||||||
|
@ -5,3 +5,6 @@
|
|||||||
with_items:
|
with_items:
|
||||||
- pdns
|
- pdns
|
||||||
- pdns-recursor
|
- pdns-recursor
|
||||||
|
|
||||||
|
- name: Restart dnsdist
|
||||||
|
service: name=dnsdist state=restarted
|
||||||
|
@ -3,6 +3,7 @@
|
|||||||
- name: Install powerdns
|
- name: Install powerdns
|
||||||
apt:
|
apt:
|
||||||
name:
|
name:
|
||||||
|
- dnsdist
|
||||||
- pdns-server
|
- pdns-server
|
||||||
- pdns-recursor
|
- pdns-recursor
|
||||||
|
|
||||||
@ -19,8 +20,19 @@
|
|||||||
- bind/23.172.in-addr.arpa.zone
|
- bind/23.172.in-addr.arpa.zone
|
||||||
- bind/binary.kitchen.zone
|
- bind/binary.kitchen.zone
|
||||||
|
|
||||||
|
# TODO
|
||||||
|
# Initialize zone users.binary.kitchen using pdnsutil or SQL on the master
|
||||||
|
|
||||||
|
# TODO
|
||||||
|
# Initialize zone users.binary.kitchen using "pdnsutil create-slave-zone users.binary.kitchen 172.23.2.3" on the slave
|
||||||
|
|
||||||
|
- name: Configure dnsdist
|
||||||
|
template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
|
||||||
|
notify: Restart dnsdist
|
||||||
|
|
||||||
- name: Start the powerdns services
|
- name: Start the powerdns services
|
||||||
service: name={{ item }} state=started enabled=yes
|
service: name={{ item }} state=started enabled=yes
|
||||||
with_items:
|
with_items:
|
||||||
|
- dnsdist
|
||||||
- pdns
|
- pdns
|
||||||
- pdns-recursor
|
- pdns-recursor
|
||||||
|
@ -1,13 +1,14 @@
|
|||||||
$ORIGIN 23.172.in-addr.arpa. ; base for unqualified names
|
$ORIGIN 23.172.in-addr.arpa. ; base for unqualified names
|
||||||
$TTL 1h ; default time-to-live
|
$TTL 1h ; default time-to-live
|
||||||
@ IN SOA ns.binary.kitchen. hostmaster.binary.kitchen. (
|
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
|
||||||
2021050801; serial
|
2021051601; serial
|
||||||
1d; refresh
|
1d; refresh
|
||||||
2h; retry
|
2h; retry
|
||||||
4w; expire
|
4w; expire
|
||||||
1h; minimum time-to-live
|
1h; minimum time-to-live
|
||||||
)
|
)
|
||||||
IN NS ns.binary.kitchen.
|
IN NS ns1.binary.kitchen.
|
||||||
|
IN NS ns2.binary.kitchen.
|
||||||
; Loopback
|
; Loopback
|
||||||
1.0 IN PTR core.binary.kitchen.
|
1.0 IN PTR core.binary.kitchen.
|
||||||
2.0 IN PTR erx-bk.binary.kitchen.
|
2.0 IN PTR erx-bk.binary.kitchen.
|
||||||
@ -36,7 +37,6 @@ $TTL 1h ; default time-to-live
|
|||||||
102.1 IN PTR nbe-tr8.binary.kitchen.
|
102.1 IN PTR nbe-tr8.binary.kitchen.
|
||||||
; Services
|
; Services
|
||||||
1.2 IN PTR v2302.core.binary.kitchen.
|
1.2 IN PTR v2302.core.binary.kitchen.
|
||||||
2.2 IN PTR ns.binary.kitchen.
|
|
||||||
3.2 IN PTR bacon.binary.kitchen.
|
3.2 IN PTR bacon.binary.kitchen.
|
||||||
4.2 IN PTR aveta.binary.kitchen.
|
4.2 IN PTR aveta.binary.kitchen.
|
||||||
5.2 IN PTR sulis.binary.kitchen.
|
5.2 IN PTR sulis.binary.kitchen.
|
||||||
|
@ -1,13 +1,17 @@
|
|||||||
$ORIGIN binary.kitchen ; base for unqualified names
|
$ORIGIN binary.kitchen ; base for unqualified names
|
||||||
$TTL 1h ; default time-to-live
|
$TTL 1h ; default time-to-live
|
||||||
@ IN SOA ns.binary.kitchen. hostmaster.binary.kitchen. (
|
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
|
||||||
2021050801; serial
|
2021051601; serial
|
||||||
1d; refresh
|
1d; refresh
|
||||||
2h; retry
|
2h; retry
|
||||||
4w; expire
|
4w; expire
|
||||||
1h; minimum time-to-live
|
1h; minimum time-to-live
|
||||||
)
|
)
|
||||||
IN NS ns.binary.kitchen.
|
IN NS ns1.binary.kitchen.
|
||||||
|
IN NS ns2.binary.kitchen.
|
||||||
|
; Subdomains
|
||||||
|
users IN NS ns1.binary.kitchen.
|
||||||
|
users IN NS ns2.binary.kitchen.
|
||||||
; External
|
; External
|
||||||
IN A 213.166.246.4
|
IN A 213.166.246.4
|
||||||
www IN A 213.166.246.4
|
www IN A 213.166.246.4
|
||||||
@ -21,6 +25,8 @@ ldap1 IN A 172.23.2.3
|
|||||||
ldap2 IN A 172.23.2.4
|
ldap2 IN A 172.23.2.4
|
||||||
ldapm IN A 213.166.246.2
|
ldapm IN A 213.166.246.2
|
||||||
librenms IN A 172.23.2.6
|
librenms IN A 172.23.2.6
|
||||||
|
ns1 IN A 172.23.2.3
|
||||||
|
ns2 IN A 172.23.2.4
|
||||||
racktables IN A 172.23.2.6
|
racktables IN A 172.23.2.6
|
||||||
radius IN A 172.23.2.3
|
radius IN A 172.23.2.3
|
||||||
radius IN A 172.23.2.4
|
radius IN A 172.23.2.4
|
||||||
@ -52,7 +58,6 @@ nbe-w13b IN A 172.23.1.101
|
|||||||
nbe-tr8 IN A 172.23.1.102
|
nbe-tr8 IN A 172.23.1.102
|
||||||
; Services
|
; Services
|
||||||
v2302.core IN A 172.23.2.1
|
v2302.core IN A 172.23.2.1
|
||||||
ns IN A 172.23.2.2
|
|
||||||
bacon IN A 172.23.2.3
|
bacon IN A 172.23.2.3
|
||||||
aveta IN A 172.23.2.4
|
aveta IN A 172.23.2.4
|
||||||
sulis IN A 172.23.2.5
|
sulis IN A 172.23.2.5
|
||||||
@ -77,8 +82,6 @@ garlic IN A 172.23.3.243
|
|||||||
mirror IN A 172.23.3.244
|
mirror IN A 172.23.3.244
|
||||||
spaghetti IN A 172.23.3.245
|
spaghetti IN A 172.23.3.245
|
||||||
maccaroni IN A 172.23.3.246
|
maccaroni IN A 172.23.3.246
|
||||||
pve02-bmc.tmp IN A 172.23.3.247
|
|
||||||
pve02.tmp IN A 172.23.3.248
|
|
||||||
ffrgb IN A 172.23.3.249
|
ffrgb IN A 172.23.3.249
|
||||||
cannelloni IN A 172.23.3.250
|
cannelloni IN A 172.23.3.250
|
||||||
noodlehub IN A 172.23.3.251
|
noodlehub IN A 172.23.3.251
|
||||||
|
25
roles/dns_intern/templates/dnsdist.conf.j2
Normal file
25
roles/dns_intern/templates/dnsdist.conf.j2
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
-- {{ ansible_managed }}
|
||||||
|
|
||||||
|
setLocal('127.0.0.1')
|
||||||
|
addLocal('::1')
|
||||||
|
addLocal('{{ ansible_default_ipv4.address }}')
|
||||||
|
|
||||||
|
-- define downstream servers/pools
|
||||||
|
newServer({address='127.0.0.1:5300', pool='authdns'})
|
||||||
|
newServer({address='127.0.0.1:5353', pool='resolve'})
|
||||||
|
|
||||||
|
-- allow AXFR/IXFR only from slaves
|
||||||
|
addAction(AndRule({OrRule({QTypeRule(dnsdist.AXFR), QTypeRule(dnsdist.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(dnsdist.REFUSED))
|
||||||
|
|
||||||
|
-- allow NOTIFY only from master
|
||||||
|
addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(dnsdist.REFUSED))
|
||||||
|
|
||||||
|
-- use auth servers for own zones
|
||||||
|
addAction('binary.kitchen', PoolAction('authdns'))
|
||||||
|
addAction('23.172.in-addr.arpa', PoolAction('authdns'))
|
||||||
|
|
||||||
|
-- use resolver for anything else
|
||||||
|
addAction(AllRule(), PoolAction('resolve'))
|
||||||
|
|
||||||
|
-- disable security status polling via DNS
|
||||||
|
setSecurityPollSuffix('')
|
@ -1,46 +1,94 @@
|
|||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
{% if ansible_default_ipv4.address == dns_primary %}
|
||||||
#################################
|
#################################
|
||||||
# launch Which backends to launch and order to query them in
|
# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges.
|
||||||
#
|
#
|
||||||
# launch=
|
# allow-dnsupdate-from=127.0.0.0/8,::1
|
||||||
launch=bind
|
allow-dnsupdate-from=127.0.0.0/8,::1,{{ dhcpd_primary }},{{ dhcpd_secondary }}
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# local-address Local IP addresses to which we bind
|
# dnsupdate Enable/Disable DNS update (RFC2136) support. Default is no.
|
||||||
|
#
|
||||||
|
# dnsupdate=no
|
||||||
|
dnsupdate=yes
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
#################################
|
||||||
|
# launch Which backends to launch and order to query them in
|
||||||
|
#
|
||||||
|
# launch=
|
||||||
|
launch=bind,gsqlite3
|
||||||
|
|
||||||
|
#################################
|
||||||
|
# local-address Local IP addresses to which we bind
|
||||||
#
|
#
|
||||||
# local-address=0.0.0.0
|
# local-address=0.0.0.0
|
||||||
local-address=127.0.0.1
|
local-address=127.0.0.1
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# local-ipv6 Local IP address to which we bind
|
# local-ipv6 Local IP address to which we bind
|
||||||
#
|
#
|
||||||
# local-ipv6=::
|
# local-ipv6=::
|
||||||
local-ipv6=
|
local-ipv6=
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# local-port The port on which we listen
|
# local-port The port on which we listen
|
||||||
#
|
#
|
||||||
# local-port=53
|
# local-port=53
|
||||||
local-port=5300
|
local-port=5300
|
||||||
|
|
||||||
|
{% if ansible_default_ipv4.address == dns_primary %}
|
||||||
#################################
|
#################################
|
||||||
# security-poll-suffix Domain name from which to query security update notifications
|
# master Act as a master
|
||||||
|
#
|
||||||
|
# master=no
|
||||||
|
master=yes
|
||||||
|
|
||||||
|
#################################
|
||||||
|
# only-notify Only send AXFR NOTIFY to these IP addresses or netmasks
|
||||||
|
#
|
||||||
|
# only-notify=0.0.0.0/0,::/0
|
||||||
|
only-notify={{ dns_secondary }}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
#################################
|
||||||
|
# security-poll-suffix Domain name from which to query security update notifications
|
||||||
#
|
#
|
||||||
# security-poll-suffix=secpoll.powerdns.com.
|
# security-poll-suffix=secpoll.powerdns.com.
|
||||||
security-poll-suffix=
|
security-poll-suffix=
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# setgid If set, change group id to this gid for more security
|
# setgid If set, change group id to this gid for more security
|
||||||
#
|
#
|
||||||
setgid=pdns
|
setgid=pdns
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# setuid If set, change user id to this uid for more security
|
# setuid If set, change user id to this uid for more security
|
||||||
#
|
#
|
||||||
setuid=pdns
|
setuid=pdns
|
||||||
|
|
||||||
|
{% if ansible_default_ipv4.address == dns_secondary %}
|
||||||
#################################
|
#################################
|
||||||
# bind-config Location of the Bind configuration file to parse.
|
# slave Act as a slave
|
||||||
|
#
|
||||||
|
# slave=no
|
||||||
|
slave=yes
|
||||||
|
|
||||||
|
#################################
|
||||||
|
# trusted-notification-proxy IP address of incoming notification proxy
|
||||||
|
#
|
||||||
|
# trusted-notification-proxy=
|
||||||
|
trusted-notification-proxy=127.0.0.1,::1
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
#################################
|
||||||
|
# bind-config Location of named.conf
|
||||||
#
|
#
|
||||||
bind-config=/etc/powerdns/bindbackend.conf
|
bind-config=/etc/powerdns/bindbackend.conf
|
||||||
|
|
||||||
|
#################################
|
||||||
|
# gsqlite3-database Filename of the SQLite3 database
|
||||||
|
#
|
||||||
|
# gsqlite3-database=
|
||||||
|
gsqlite3-database=/var/lib/powerdns/pdns.sqlite3
|
||||||
|
@ -1,61 +1,55 @@
|
|||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# allow-from If set, only allow these comma separated netmasks to recurse
|
# allow-from If set, only allow these comma separated netmasks to recurse
|
||||||
#
|
#
|
||||||
#allow-from=127.0.0.0/8
|
# allow-from=127.0.0.0/8
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# config-dir Location of configuration directory (recursor.conf)
|
# config-dir Location of configuration directory (recursor.conf)
|
||||||
#
|
#
|
||||||
config-dir=/etc/powerdns
|
config-dir=/etc/powerdns
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# dnssec DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
|
# dnssec DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
|
||||||
#
|
#
|
||||||
# dnssec=process-no-validate
|
# dnssec=process-no-validate
|
||||||
dnssec=off
|
dnssec=off
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# forward-zones Zones for which we forward queries, comma separated domain=ip pairs
|
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
|
||||||
#
|
#
|
||||||
# forward-zones=
|
local-address=127.0.0.1
|
||||||
forward-zones=binary.kitchen=127.0.0.1:5300,23.172.in-addr.arpa=127.0.0.1:5300
|
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
|
# local-port port to listen on
|
||||||
#
|
#
|
||||||
local-address=127.0.0.1,{{ ansible_default_ipv4.address }}
|
local-port=5353
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# local-port port to listen on
|
# query-local-address6 Source IPv6 address for sending queries. IF UNSET, IPv6 WILL NOT BE USED FOR OUTGOING QUERIES
|
||||||
#
|
|
||||||
local-port=53
|
|
||||||
|
|
||||||
#################################
|
|
||||||
# query-local-address6 Send out local IPv6 queries from this address or addresses. Disabled by default, which also disables outgoing
|
|
||||||
#
|
#
|
||||||
{% if global_ipv6 is defined %}
|
{% if global_ipv6 is defined %}
|
||||||
query-local-address6={{ global_ipv6 | ipaddr('address') }}
|
query-local-address6={{ global_ipv6 | ipaddr('address') }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# quiet Suppress logging of questions and answers
|
# quiet Suppress logging of questions and answers
|
||||||
#
|
#
|
||||||
quiet=yes
|
quiet=yes
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# security-poll-suffix Domain name from which to query security update notifications
|
# security-poll-suffix Domain name from which to query security update notifications
|
||||||
#
|
#
|
||||||
# security-poll-suffix=secpoll.powerdns.com.
|
# security-poll-suffix=secpoll.powerdns.com.
|
||||||
security-poll-suffix=
|
security-poll-suffix=
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# setgid If set, change group id to this gid for more security
|
# setgid If set, change group id to this gid for more security
|
||||||
#
|
#
|
||||||
setgid=pdns
|
setgid=pdns
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
# setuid If set, change user id to this uid for more security
|
# setuid If set, change user id to this uid for more security
|
||||||
#
|
#
|
||||||
setuid=pdns
|
setuid=pdns
|
||||||
|
Loading…
Reference in New Issue
Block a user