diff --git a/group_vars/kitchen b/group_vars/kitchen index ea56987..daeb185 100644 --- a/group_vars/kitchen +++ b/group_vars/kitchen @@ -4,6 +4,9 @@ dhcpd_failover: true dhcpd_primary: 172.23.2.3 dhcpd_secondary: 172.23.2.4 +dns_primary: 172.23.2.3 +dns_secondary: 172.23.2.4 + name_servers: - 172.23.2.3 - 172.23.2.4 diff --git a/roles/dhcpd/templates/dhcp/dhcpd.conf.j2 b/roles/dhcpd/templates/dhcp/dhcpd.conf.j2 index 450cd97..c8c528f 100644 --- a/roles/dhcpd/templates/dhcp/dhcpd.conf.j2 +++ b/roles/dhcpd/templates/dhcp/dhcpd.conf.j2 @@ -3,13 +3,15 @@ # option definitions common to all supported networks... option domain-name "binary.kitchen"; option domain-name-servers {{ name_servers | join(', ') }}; +option domain-search "binary.kitchen"; option ntp-servers 172.23.1.60, 172.23.2.3; default-lease-time 7200; max-lease-time 28800; # Use this to enble / disable dynamic dns updates globally. -ddns-update-style none; +ddns-update-style interim; +ddns-updates on; # If this DHCP server is the official DHCP server for the local # network, the authoritative directive should be uncommented. @@ -61,6 +63,8 @@ subnet 172.23.2.0 netmask 255.255.255.0 { # Users subnet 172.23.3.0 netmask 255.255.255.0 { option routers 172.23.3.1; + ddns-domainname "users.binary.kitchen"; + option domain-search "binary.kitchen", "users.binary.kitchen"; pool { {% if dhcpd_failover == true %} failover peer "failover-partner"; @@ -80,6 +84,12 @@ subnet 172.23.4.0 netmask 255.255.255.0 { } } +# DDNS zones + +zone users.binary.kitchen { + primary {{ dns_primary }}; +} + # Fixed IPs diff --git a/roles/dns_intern/handlers/main.yml b/roles/dns_intern/handlers/main.yml index fffbb22..95f9ada 100644 --- a/roles/dns_intern/handlers/main.yml +++ b/roles/dns_intern/handlers/main.yml @@ -5,3 +5,6 @@ with_items: - pdns - pdns-recursor + +- name: Restart dnsdist + service: name=dnsdist state=restarted diff --git a/roles/dns_intern/tasks/main.yml b/roles/dns_intern/tasks/main.yml index 9b28ef7..d6618fa 100644 --- a/roles/dns_intern/tasks/main.yml +++ b/roles/dns_intern/tasks/main.yml @@ -3,6 +3,7 @@ - name: Install powerdns apt: name: + - dnsdist - pdns-server - pdns-recursor @@ -19,8 +20,19 @@ - bind/23.172.in-addr.arpa.zone - bind/binary.kitchen.zone +# TODO +# Initialize zone users.binary.kitchen using pdnsutil or SQL on the master + +# TODO +# Initialize zone users.binary.kitchen using "pdnsutil create-slave-zone users.binary.kitchen 172.23.2.3" on the slave + +- name: Configure dnsdist + template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf + notify: Restart dnsdist + - name: Start the powerdns services service: name={{ item }} state=started enabled=yes with_items: + - dnsdist - pdns - pdns-recursor diff --git a/roles/dns_intern/templates/bind/23.172.in-addr.arpa.zone.j2 b/roles/dns_intern/templates/bind/23.172.in-addr.arpa.zone.j2 index 9fc9ed8..8ec6641 100644 --- a/roles/dns_intern/templates/bind/23.172.in-addr.arpa.zone.j2 +++ b/roles/dns_intern/templates/bind/23.172.in-addr.arpa.zone.j2 @@ -1,13 +1,14 @@ $ORIGIN 23.172.in-addr.arpa. ; base for unqualified names $TTL 1h ; default time-to-live -@ IN SOA ns.binary.kitchen. hostmaster.binary.kitchen. ( - 2021050801; serial +@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. ( + 2021051601; serial 1d; refresh 2h; retry 4w; expire 1h; minimum time-to-live ) - IN NS ns.binary.kitchen. + IN NS ns1.binary.kitchen. + IN NS ns2.binary.kitchen. ; Loopback 1.0 IN PTR core.binary.kitchen. 2.0 IN PTR erx-bk.binary.kitchen. @@ -36,7 +37,6 @@ $TTL 1h ; default time-to-live 102.1 IN PTR nbe-tr8.binary.kitchen. ; Services 1.2 IN PTR v2302.core.binary.kitchen. -2.2 IN PTR ns.binary.kitchen. 3.2 IN PTR bacon.binary.kitchen. 4.2 IN PTR aveta.binary.kitchen. 5.2 IN PTR sulis.binary.kitchen. diff --git a/roles/dns_intern/templates/bind/binary.kitchen.zone.j2 b/roles/dns_intern/templates/bind/binary.kitchen.zone.j2 index 44f5a69..465a654 100644 --- a/roles/dns_intern/templates/bind/binary.kitchen.zone.j2 +++ b/roles/dns_intern/templates/bind/binary.kitchen.zone.j2 @@ -1,13 +1,17 @@ $ORIGIN binary.kitchen ; base for unqualified names $TTL 1h ; default time-to-live -@ IN SOA ns.binary.kitchen. hostmaster.binary.kitchen. ( - 2021050801; serial +@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. ( + 2021051601; serial 1d; refresh 2h; retry 4w; expire 1h; minimum time-to-live ) - IN NS ns.binary.kitchen. + IN NS ns1.binary.kitchen. + IN NS ns2.binary.kitchen. +; Subdomains +users IN NS ns1.binary.kitchen. +users IN NS ns2.binary.kitchen. ; External IN A 213.166.246.4 www IN A 213.166.246.4 @@ -21,6 +25,8 @@ ldap1 IN A 172.23.2.3 ldap2 IN A 172.23.2.4 ldapm IN A 213.166.246.2 librenms IN A 172.23.2.6 +ns1 IN A 172.23.2.3 +ns2 IN A 172.23.2.4 racktables IN A 172.23.2.6 radius IN A 172.23.2.3 radius IN A 172.23.2.4 @@ -52,7 +58,6 @@ nbe-w13b IN A 172.23.1.101 nbe-tr8 IN A 172.23.1.102 ; Services v2302.core IN A 172.23.2.1 -ns IN A 172.23.2.2 bacon IN A 172.23.2.3 aveta IN A 172.23.2.4 sulis IN A 172.23.2.5 @@ -77,8 +82,6 @@ garlic IN A 172.23.3.243 mirror IN A 172.23.3.244 spaghetti IN A 172.23.3.245 maccaroni IN A 172.23.3.246 -pve02-bmc.tmp IN A 172.23.3.247 -pve02.tmp IN A 172.23.3.248 ffrgb IN A 172.23.3.249 cannelloni IN A 172.23.3.250 noodlehub IN A 172.23.3.251 diff --git a/roles/dns_intern/templates/dnsdist.conf.j2 b/roles/dns_intern/templates/dnsdist.conf.j2 new file mode 100644 index 0000000..2ddf3dc --- /dev/null +++ b/roles/dns_intern/templates/dnsdist.conf.j2 @@ -0,0 +1,25 @@ +-- {{ ansible_managed }} + +setLocal('127.0.0.1') +addLocal('::1') +addLocal('{{ ansible_default_ipv4.address }}') + +-- define downstream servers/pools +newServer({address='127.0.0.1:5300', pool='authdns'}) +newServer({address='127.0.0.1:5353', pool='resolve'}) + +-- allow AXFR/IXFR only from slaves +addAction(AndRule({OrRule({QTypeRule(dnsdist.AXFR), QTypeRule(dnsdist.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(dnsdist.REFUSED)) + +-- allow NOTIFY only from master +addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(dnsdist.REFUSED)) + +-- use auth servers for own zones +addAction('binary.kitchen', PoolAction('authdns')) +addAction('23.172.in-addr.arpa', PoolAction('authdns')) + +-- use resolver for anything else +addAction(AllRule(), PoolAction('resolve')) + +-- disable security status polling via DNS +setSecurityPollSuffix('') diff --git a/roles/dns_intern/templates/pdns.conf.j2 b/roles/dns_intern/templates/pdns.conf.j2 index f792402..9945e4f 100644 --- a/roles/dns_intern/templates/pdns.conf.j2 +++ b/roles/dns_intern/templates/pdns.conf.j2 @@ -1,46 +1,94 @@ # {{ ansible_managed }} +{% if ansible_default_ipv4.address == dns_primary %} ################################# -# launch Which backends to launch and order to query them in +# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges. # -# launch= -launch=bind +# allow-dnsupdate-from=127.0.0.0/8,::1 +allow-dnsupdate-from=127.0.0.0/8,::1,{{ dhcpd_primary }},{{ dhcpd_secondary }} ################################# -# local-address Local IP addresses to which we bind +# dnsupdate Enable/Disable DNS update (RFC2136) support. Default is no. +# +# dnsupdate=no +dnsupdate=yes +{% endif %} + +################################# +# launch Which backends to launch and order to query them in +# +# launch= +launch=bind,gsqlite3 + +################################# +# local-address Local IP addresses to which we bind # # local-address=0.0.0.0 local-address=127.0.0.1 ################################# -# local-ipv6 Local IP address to which we bind +# local-ipv6 Local IP address to which we bind # # local-ipv6=:: local-ipv6= ################################# -# local-port The port on which we listen +# local-port The port on which we listen # # local-port=53 local-port=5300 +{% if ansible_default_ipv4.address == dns_primary %} ################################# -# security-poll-suffix Domain name from which to query security update notifications +# master Act as a master +# +# master=no +master=yes + +################################# +# only-notify Only send AXFR NOTIFY to these IP addresses or netmasks +# +# only-notify=0.0.0.0/0,::/0 +only-notify={{ dns_secondary }} +{% endif %} + +################################# +# security-poll-suffix Domain name from which to query security update notifications # # security-poll-suffix=secpoll.powerdns.com. security-poll-suffix= ################################# -# setgid If set, change group id to this gid for more security +# setgid If set, change group id to this gid for more security # setgid=pdns ################################# -# setuid If set, change user id to this uid for more security +# setuid If set, change user id to this uid for more security # setuid=pdns +{% if ansible_default_ipv4.address == dns_secondary %} ################################# -# bind-config Location of the Bind configuration file to parse. +# slave Act as a slave +# +# slave=no +slave=yes + +################################# +# trusted-notification-proxy IP address of incoming notification proxy +# +# trusted-notification-proxy= +trusted-notification-proxy=127.0.0.1,::1 +{% endif %} + +################################# +# bind-config Location of named.conf # bind-config=/etc/powerdns/bindbackend.conf + +################################# +# gsqlite3-database Filename of the SQLite3 database +# +# gsqlite3-database= +gsqlite3-database=/var/lib/powerdns/pdns.sqlite3 diff --git a/roles/dns_intern/templates/recursor.conf.j2 b/roles/dns_intern/templates/recursor.conf.j2 index 40bfe7a..adf37de 100644 --- a/roles/dns_intern/templates/recursor.conf.j2 +++ b/roles/dns_intern/templates/recursor.conf.j2 @@ -1,61 +1,55 @@ # {{ ansible_managed }} ################################# -# allow-from If set, only allow these comma separated netmasks to recurse +# allow-from If set, only allow these comma separated netmasks to recurse # -#allow-from=127.0.0.0/8 +# allow-from=127.0.0.0/8 ################################# -# config-dir Location of configuration directory (recursor.conf) +# config-dir Location of configuration directory (recursor.conf) # config-dir=/etc/powerdns ################################# -# dnssec DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate +# dnssec DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate # # dnssec=process-no-validate dnssec=off ################################# -# forward-zones Zones for which we forward queries, comma separated domain=ip pairs +# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports. # -# forward-zones= -forward-zones=binary.kitchen=127.0.0.1:5300,23.172.in-addr.arpa=127.0.0.1:5300 +local-address=127.0.0.1 ################################# -# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports. +# local-port port to listen on # -local-address=127.0.0.1,{{ ansible_default_ipv4.address }} +local-port=5353 ################################# -# local-port port to listen on -# -local-port=53 - -################################# -# query-local-address6 Send out local IPv6 queries from this address or addresses. Disabled by default, which also disables outgoing +# query-local-address6 Source IPv6 address for sending queries. IF UNSET, IPv6 WILL NOT BE USED FOR OUTGOING QUERIES # {% if global_ipv6 is defined %} query-local-address6={{ global_ipv6 | ipaddr('address') }} {% endif %} ################################# -# quiet Suppress logging of questions and answers +# quiet Suppress logging of questions and answers # quiet=yes ################################# -# security-poll-suffix Domain name from which to query security update notifications +# security-poll-suffix Domain name from which to query security update notifications # # security-poll-suffix=secpoll.powerdns.com. security-poll-suffix= ################################# -# setgid If set, change group id to this gid for more security +# setgid If set, change group id to this gid for more security # setgid=pdns ################################# -# setuid If set, change user id to this uid for more security +# setuid If set, change user id to this uid for more security # setuid=pdns