dns-intern: use future-proof pdns config

2019-10-14 18:34:43 +02:00 · 2019-10-14 18:34:43 +02:00 · 91d95b190c
parent 986392237c
commit 91d95b190c
2 changed files with 37 additions and 16 deletions
--- a/roles/dns-intern/templates/pdns.conf.j2
+++ b/roles/dns-intern/templates/pdns.conf.j2
@ -1,22 +1,28 @@
-#################################
-# allow-recursion       List of subnets that are allowed to recurse
-#
-allow-recursion=127.0.0.1,172.23.0.0/16
-
-#################################
-# daemon        Operate as a daemon
-#
-daemon=yes
+# {{ ansible_managed }}

 #################################
 # launch        Which backends to launch and order to query them in
 #
+# launch=
 launch=bind

 #################################
-# recursor      If recursion is desired, IP address of a recursing nameserver
+# local-address Local IP addresses to which we bind
 #
-recursor=127.0.0.1:5300
+# local-address=0.0.0.0
+local-address=127.0.0.1
+
+#################################
+# local-ipv6    Local IP address to which we bind
+#
+# local-ipv6=::
+local-ipv6=
+
+#################################
+# local-port    The port on which we listen
+#
+# local-port=53
+local-port=5300

 #################################
 # security-poll-suffix  Domain name from which to query security update notifications
--- a/roles/dns-intern/templates/recursor.conf.j2
+++ b/roles/dns-intern/templates/recursor.conf.j2
@ -1,12 +1,14 @@
+# {{ ansible_managed }}
+
 #################################
 # allow-from    If set, only allow these comma separated netmasks to recurse
 #
-allow-from=127.0.0.0/8
+#allow-from=127.0.0.0/8

 #################################
-# daemon        Operate as a daemon
+# config-dir    Location of configuration directory (recursor.conf)
 #
-daemon=yes
+config-dir=/etc/powerdns

 #################################
 # dnssec        DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
@ -14,15 +16,28 @@ daemon=yes
 # dnssec=process-no-validate
 dnssec=off

+#################################
+# forward-zones Zones for which we forward queries, comma separated domain=ip pairs
+#
+# forward-zones=
+forward-zones=binary.kitchen=127.0.0.1:5300,23.172.in-addr.arpa=127.0.0.1:5300
+
 #################################
 # local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
 #
-local-address=127.0.0.1
+local-address=127.0.0.1,{{ ansible_default_ipv4.address }}

 #################################
 # local-port    port to listen on
 #
-local-port=5300
+local-port=53
+
+#################################
+# query-local-address6 Send out local IPv6 queries from this address or addresses. Disabled by default, which also disables outgoing
+#
+{% if global_ipv6 is defined %}
+query-local-address6={{ global_ipv6 | ipaddr('address') }}
+{% endif %}

 #################################
 # quiet Suppress logging of questions and answers