dhcpd, dns_intern: provide dynamic dns entries

clients in the 172.23.3.0/24 subnet are now provided with dynamic dns entries in the users.binary.kitchen domain - forward entries only
2021-05-16 18:35:29 +02:00 · 2021-05-16 18:35:29 +02:00 · e8dcf169e2
commit e8dcf169e2
parent e0a5d012ee
9 changed files with 138 additions and 40 deletions
--- a/group_vars/kitchen
+++ b/group_vars/kitchen
@ -4,6 +4,9 @@ dhcpd_failover: true
 dhcpd_primary: 172.23.2.3
 dhcpd_secondary: 172.23.2.4

+dns_primary: 172.23.2.3
+dns_secondary: 172.23.2.4
+
 name_servers:
 - 172.23.2.3
 - 172.23.2.4
--- a/roles/dhcpd/templates/dhcp/dhcpd.conf.j2
+++ b/roles/dhcpd/templates/dhcp/dhcpd.conf.j2
@ -3,13 +3,15 @@
 # option definitions common to all supported networks...
 option domain-name "binary.kitchen";
 option domain-name-servers {{ name_servers | join(', ') }};
+option domain-search "binary.kitchen";
 option ntp-servers 172.23.1.60, 172.23.2.3;

 default-lease-time 7200;
 max-lease-time 28800;

 # Use this to enble / disable dynamic dns updates globally.
-ddns-update-style none;
+ddns-update-style interim;
+ddns-updates on;

 # If this DHCP server is the official DHCP server for the local
 # network, the authoritative directive should be uncommented.
@ -61,6 +63,8 @@ subnet 172.23.2.0 netmask 255.255.255.0 {
 # Users
 subnet 172.23.3.0 netmask 255.255.255.0 {
  option routers 172.23.3.1;
+  ddns-domainname "users.binary.kitchen";
+  option domain-search "binary.kitchen", "users.binary.kitchen";
  pool {
 {% if dhcpd_failover == true %}
    failover peer "failover-partner";
@ -80,6 +84,12 @@ subnet 172.23.4.0 netmask 255.255.255.0 {
  }
 }

+# DDNS zones
+
+zone users.binary.kitchen {
+  primary {{ dns_primary }};
+}
+

 # Fixed IPs

--- a/roles/dns_intern/handlers/main.yml
+++ b/roles/dns_intern/handlers/main.yml
@ -5,3 +5,6 @@
  with_items:
   - pdns
   - pdns-recursor
+
+- name: Restart dnsdist
+  service: name=dnsdist state=restarted
--- a/roles/dns_intern/tasks/main.yml
+++ b/roles/dns_intern/tasks/main.yml
@ -3,6 +3,7 @@
 - name: Install powerdns
  apt:
    name:
+    - dnsdist
    - pdns-server
    - pdns-recursor

@ -19,8 +20,19 @@
  - bind/23.172.in-addr.arpa.zone
  - bind/binary.kitchen.zone

+# TODO
+# Initialize zone users.binary.kitchen using pdnsutil or SQL on the master
+
+# TODO
+# Initialize zone users.binary.kitchen using "pdnsutil create-slave-zone users.binary.kitchen 172.23.2.3" on the slave
+
+- name: Configure dnsdist
+  template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
+  notify: Restart dnsdist
+
 - name: Start the powerdns services
  service: name={{ item }} state=started enabled=yes
  with_items:
+  - dnsdist
  - pdns
  - pdns-recursor
--- a/roles/dns_intern/templates/bind/23.172.in-addr.arpa.zone.j2
+++ b/roles/dns_intern/templates/bind/23.172.in-addr.arpa.zone.j2
@ -1,13 +1,14 @@
 $ORIGIN 23.172.in-addr.arpa.	; base for unqualified names
 $TTL 1h				; default time-to-live
-@				IN	SOA ns.binary.kitchen. hostmaster.binary.kitchen. (
-					2021050801; serial
+@				IN	SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
+					2021051601; serial
 					1d; refresh
 					2h; retry
 					4w; expire
 					1h; minimum time-to-live
 				)
-				IN	NS	ns.binary.kitchen.
+				IN	NS	ns1.binary.kitchen.
+				IN	NS	ns2.binary.kitchen.
 ; Loopback
 1.0				IN	PTR	core.binary.kitchen.
 2.0				IN	PTR	erx-bk.binary.kitchen.
@ -36,7 +37,6 @@ $TTL 1h				; default time-to-live
 102.1				IN	PTR	nbe-tr8.binary.kitchen.
 ; Services
 1.2				IN	PTR	v2302.core.binary.kitchen.
-2.2				IN	PTR	ns.binary.kitchen.
 3.2				IN	PTR	bacon.binary.kitchen.
 4.2				IN	PTR	aveta.binary.kitchen.
 5.2				IN	PTR	sulis.binary.kitchen.
--- a/roles/dns_intern/templates/bind/binary.kitchen.zone.j2
+++ b/roles/dns_intern/templates/bind/binary.kitchen.zone.j2
@ -1,13 +1,17 @@
 $ORIGIN binary.kitchen		; base for unqualified names
 $TTL 1h				; default time-to-live
-@				IN	SOA ns.binary.kitchen. hostmaster.binary.kitchen. (
-					2021050801; serial
+@				IN	SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
+					2021051601; serial
 					1d; refresh
 					2h; retry
 					4w; expire
 					1h; minimum time-to-live
 				)
-				IN	NS	ns.binary.kitchen.
+				IN	NS	ns1.binary.kitchen.
+				IN	NS	ns2.binary.kitchen.
+; Subdomains
+users				IN	NS	ns1.binary.kitchen.
+users				IN	NS	ns2.binary.kitchen.
 ; External
 				IN	A	213.166.246.4
 www				IN	A	213.166.246.4
@ -21,6 +25,8 @@ ldap1				IN	A	172.23.2.3
 ldap2				IN	A	172.23.2.4
 ldapm				IN	A	213.166.246.2
 librenms			IN	A	172.23.2.6
+ns1				IN	A	172.23.2.3
+ns2				IN	A	172.23.2.4
 racktables			IN	A	172.23.2.6
 radius				IN	A	172.23.2.3
 radius				IN	A	172.23.2.4
@ -52,7 +58,6 @@ nbe-w13b			IN	A	172.23.1.101
 nbe-tr8				IN	A	172.23.1.102
 ; Services
 v2302.core			IN	A	172.23.2.1
-ns				IN	A	172.23.2.2
 bacon				IN	A	172.23.2.3
 aveta				IN	A	172.23.2.4
 sulis				IN	A	172.23.2.5
@ -77,8 +82,6 @@ garlic				IN	A	172.23.3.243
 mirror				IN	A	172.23.3.244
 spaghetti			IN	A	172.23.3.245
 maccaroni			IN	A	172.23.3.246
-pve02-bmc.tmp			IN	A	172.23.3.247
-pve02.tmp			IN	A	172.23.3.248
 ffrgb				IN	A	172.23.3.249
 cannelloni			IN	A	172.23.3.250
 noodlehub			IN	A	172.23.3.251
--- a/roles/dns_intern/templates/dnsdist.conf.j2
+++ b/roles/dns_intern/templates/dnsdist.conf.j2
@ -0,0 +1,25 @@
+-- {{ ansible_managed }}
+
+setLocal('127.0.0.1')
+addLocal('::1')
+addLocal('{{ ansible_default_ipv4.address }}')
+
+-- define downstream servers/pools
+newServer({address='127.0.0.1:5300', pool='authdns'})
+newServer({address='127.0.0.1:5353', pool='resolve'})
+
+-- allow AXFR/IXFR only from slaves
+addAction(AndRule({OrRule({QTypeRule(dnsdist.AXFR), QTypeRule(dnsdist.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(dnsdist.REFUSED))
+
+-- allow NOTIFY only from master
+addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(dnsdist.REFUSED))
+
+-- use auth servers for own zones
+addAction('binary.kitchen', PoolAction('authdns'))
+addAction('23.172.in-addr.arpa', PoolAction('authdns'))
+
+-- use resolver for anything else
+addAction(AllRule(), PoolAction('resolve'))
+
+-- disable security status polling via DNS
+setSecurityPollSuffix('')
--- a/roles/dns_intern/templates/pdns.conf.j2
+++ b/roles/dns_intern/templates/pdns.conf.j2
@ -1,10 +1,24 @@
 # {{ ansible_managed }}

+{% if ansible_default_ipv4.address == dns_primary %}
+#################################
+# allow-dnsupdate-from  A global setting to allow DNS updates from these IP ranges.
+#
+# allow-dnsupdate-from=127.0.0.0/8,::1
+allow-dnsupdate-from=127.0.0.0/8,::1,{{ dhcpd_primary }},{{ dhcpd_secondary }}
+
+#################################
+# dnsupdate	Enable/Disable DNS update (RFC2136) support.  Default is no.
+#
+# dnsupdate=no
+dnsupdate=yes
+{% endif %}
+
 #################################
 # launch	Which backends to launch and order to query them in
 #
 # launch=
-launch=bind
+launch=bind,gsqlite3

 #################################
 # local-address	Local IP addresses to which we bind
@ -24,6 +38,20 @@ local-ipv6=
 # local-port=53
 local-port=5300

+{% if ansible_default_ipv4.address == dns_primary %}
+#################################
+# master	Act as a master
+#
+# master=no
+master=yes
+
+#################################
+# only-notify   Only send AXFR NOTIFY to these IP addresses or netmasks
+#
+# only-notify=0.0.0.0/0,::/0
+only-notify={{ dns_secondary }}
+{% endif %}
+
 #################################
 # security-poll-suffix	Domain name from which to query security update notifications
 #
@ -40,7 +68,27 @@ setgid=pdns
 #
 setuid=pdns

+{% if ansible_default_ipv4.address == dns_secondary %}
 #################################
-# bind-config   Location of the Bind configuration file to parse.
+# slave	Act as a slave
+#
+# slave=no
+slave=yes
+
+#################################
+# trusted-notification-proxy	IP address of incoming notification proxy
+#
+# trusted-notification-proxy=
+trusted-notification-proxy=127.0.0.1,::1
+{% endif %}
+
+#################################
+# bind-config	Location of named.conf
 #
 bind-config=/etc/powerdns/bindbackend.conf
+
+#################################
+# gsqlite3-database	Filename of the SQLite3 database
+#
+# gsqlite3-database=
+gsqlite3-database=/var/lib/powerdns/pdns.sqlite3
--- a/roles/dns_intern/templates/recursor.conf.j2
+++ b/roles/dns_intern/templates/recursor.conf.j2
@ -16,24 +16,18 @@ config-dir=/etc/powerdns
 # dnssec=process-no-validate
 dnssec=off

-#################################
-# forward-zones Zones for which we forward queries, comma separated domain=ip pairs
-#
-# forward-zones=
-forward-zones=binary.kitchen=127.0.0.1:5300,23.172.in-addr.arpa=127.0.0.1:5300
-
 #################################
 # local-address	IP addresses to listen on, separated by spaces or commas. Also accepts ports.
 #
-local-address=127.0.0.1,{{ ansible_default_ipv4.address }}
+local-address=127.0.0.1

 #################################
 # local-port	port to listen on
 #
-local-port=53
+local-port=5353

 #################################
-# query-local-address6 Send out local IPv6 queries from this address or addresses. Disabled by default, which also disables outgoing
+# query-local-address6	Source IPv6 address for sending queries. IF UNSET, IPv6 WILL NOT BE USED FOR OUTGOING QUERIES
 #
 {% if global_ipv6 is defined %}
 query-local-address6={{ global_ipv6 | ipaddr('address') }}