1
0
forked from infra/ansible

dhcpd, dns_intern: provide dynamic dns entries

clients in the 172.23.3.0/24 subnet are now provided with dynamic dns
entries in the users.binary.kitchen domain - forward entries only
This commit is contained in:
Markus 2021-05-16 18:35:29 +02:00
parent e0a5d012ee
commit e8dcf169e2
9 changed files with 138 additions and 40 deletions

View File

@ -4,6 +4,9 @@ dhcpd_failover: true
dhcpd_primary: 172.23.2.3
dhcpd_secondary: 172.23.2.4
dns_primary: 172.23.2.3
dns_secondary: 172.23.2.4
name_servers:
- 172.23.2.3
- 172.23.2.4

View File

@ -3,13 +3,15 @@
# option definitions common to all supported networks...
option domain-name "binary.kitchen";
option domain-name-servers {{ name_servers | join(', ') }};
option domain-search "binary.kitchen";
option ntp-servers 172.23.1.60, 172.23.2.3;
default-lease-time 7200;
max-lease-time 28800;
# Use this to enble / disable dynamic dns updates globally.
ddns-update-style none;
ddns-update-style interim;
ddns-updates on;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
@ -61,6 +63,8 @@ subnet 172.23.2.0 netmask 255.255.255.0 {
# Users
subnet 172.23.3.0 netmask 255.255.255.0 {
option routers 172.23.3.1;
ddns-domainname "users.binary.kitchen";
option domain-search "binary.kitchen", "users.binary.kitchen";
pool {
{% if dhcpd_failover == true %}
failover peer "failover-partner";
@ -80,6 +84,12 @@ subnet 172.23.4.0 netmask 255.255.255.0 {
}
}
# DDNS zones
zone users.binary.kitchen {
primary {{ dns_primary }};
}
# Fixed IPs

View File

@ -5,3 +5,6 @@
with_items:
- pdns
- pdns-recursor
- name: Restart dnsdist
service: name=dnsdist state=restarted

View File

@ -3,6 +3,7 @@
- name: Install powerdns
apt:
name:
- dnsdist
- pdns-server
- pdns-recursor
@ -19,8 +20,19 @@
- bind/23.172.in-addr.arpa.zone
- bind/binary.kitchen.zone
# TODO
# Initialize zone users.binary.kitchen using pdnsutil or SQL on the master
# TODO
# Initialize zone users.binary.kitchen using "pdnsutil create-slave-zone users.binary.kitchen 172.23.2.3" on the slave
- name: Configure dnsdist
template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
notify: Restart dnsdist
- name: Start the powerdns services
service: name={{ item }} state=started enabled=yes
with_items:
- dnsdist
- pdns
- pdns-recursor

View File

@ -1,13 +1,14 @@
$ORIGIN 23.172.in-addr.arpa. ; base for unqualified names
$TTL 1h ; default time-to-live
@ IN SOA ns.binary.kitchen. hostmaster.binary.kitchen. (
2021050801; serial
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
2021051601; serial
1d; refresh
2h; retry
4w; expire
1h; minimum time-to-live
)
IN NS ns.binary.kitchen.
IN NS ns1.binary.kitchen.
IN NS ns2.binary.kitchen.
; Loopback
1.0 IN PTR core.binary.kitchen.
2.0 IN PTR erx-bk.binary.kitchen.
@ -36,7 +37,6 @@ $TTL 1h ; default time-to-live
102.1 IN PTR nbe-tr8.binary.kitchen.
; Services
1.2 IN PTR v2302.core.binary.kitchen.
2.2 IN PTR ns.binary.kitchen.
3.2 IN PTR bacon.binary.kitchen.
4.2 IN PTR aveta.binary.kitchen.
5.2 IN PTR sulis.binary.kitchen.

View File

@ -1,13 +1,17 @@
$ORIGIN binary.kitchen ; base for unqualified names
$TTL 1h ; default time-to-live
@ IN SOA ns.binary.kitchen. hostmaster.binary.kitchen. (
2021050801; serial
@ IN SOA ns1.binary.kitchen. hostmaster.binary.kitchen. (
2021051601; serial
1d; refresh
2h; retry
4w; expire
1h; minimum time-to-live
)
IN NS ns.binary.kitchen.
IN NS ns1.binary.kitchen.
IN NS ns2.binary.kitchen.
; Subdomains
users IN NS ns1.binary.kitchen.
users IN NS ns2.binary.kitchen.
; External
IN A 213.166.246.4
www IN A 213.166.246.4
@ -21,6 +25,8 @@ ldap1 IN A 172.23.2.3
ldap2 IN A 172.23.2.4
ldapm IN A 213.166.246.2
librenms IN A 172.23.2.6
ns1 IN A 172.23.2.3
ns2 IN A 172.23.2.4
racktables IN A 172.23.2.6
radius IN A 172.23.2.3
radius IN A 172.23.2.4
@ -52,7 +58,6 @@ nbe-w13b IN A 172.23.1.101
nbe-tr8 IN A 172.23.1.102
; Services
v2302.core IN A 172.23.2.1
ns IN A 172.23.2.2
bacon IN A 172.23.2.3
aveta IN A 172.23.2.4
sulis IN A 172.23.2.5
@ -77,8 +82,6 @@ garlic IN A 172.23.3.243
mirror IN A 172.23.3.244
spaghetti IN A 172.23.3.245
maccaroni IN A 172.23.3.246
pve02-bmc.tmp IN A 172.23.3.247
pve02.tmp IN A 172.23.3.248
ffrgb IN A 172.23.3.249
cannelloni IN A 172.23.3.250
noodlehub IN A 172.23.3.251

View File

@ -0,0 +1,25 @@
-- {{ ansible_managed }}
setLocal('127.0.0.1')
addLocal('::1')
addLocal('{{ ansible_default_ipv4.address }}')
-- define downstream servers/pools
newServer({address='127.0.0.1:5300', pool='authdns'})
newServer({address='127.0.0.1:5353', pool='resolve'})
-- allow AXFR/IXFR only from slaves
addAction(AndRule({OrRule({QTypeRule(dnsdist.AXFR), QTypeRule(dnsdist.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(dnsdist.REFUSED))
-- allow NOTIFY only from master
addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(dnsdist.REFUSED))
-- use auth servers for own zones
addAction('binary.kitchen', PoolAction('authdns'))
addAction('23.172.in-addr.arpa', PoolAction('authdns'))
-- use resolver for anything else
addAction(AllRule(), PoolAction('resolve'))
-- disable security status polling via DNS
setSecurityPollSuffix('')

View File

@ -1,10 +1,24 @@
# {{ ansible_managed }}
{% if ansible_default_ipv4.address == dns_primary %}
#################################
# allow-dnsupdate-from A global setting to allow DNS updates from these IP ranges.
#
# allow-dnsupdate-from=127.0.0.0/8,::1
allow-dnsupdate-from=127.0.0.0/8,::1,{{ dhcpd_primary }},{{ dhcpd_secondary }}
#################################
# dnsupdate Enable/Disable DNS update (RFC2136) support. Default is no.
#
# dnsupdate=no
dnsupdate=yes
{% endif %}
#################################
# launch Which backends to launch and order to query them in
#
# launch=
launch=bind
launch=bind,gsqlite3
#################################
# local-address Local IP addresses to which we bind
@ -24,6 +38,20 @@ local-ipv6=
# local-port=53
local-port=5300
{% if ansible_default_ipv4.address == dns_primary %}
#################################
# master Act as a master
#
# master=no
master=yes
#################################
# only-notify Only send AXFR NOTIFY to these IP addresses or netmasks
#
# only-notify=0.0.0.0/0,::/0
only-notify={{ dns_secondary }}
{% endif %}
#################################
# security-poll-suffix Domain name from which to query security update notifications
#
@ -40,7 +68,27 @@ setgid=pdns
#
setuid=pdns
{% if ansible_default_ipv4.address == dns_secondary %}
#################################
# bind-config Location of the Bind configuration file to parse.
# slave Act as a slave
#
# slave=no
slave=yes
#################################
# trusted-notification-proxy IP address of incoming notification proxy
#
# trusted-notification-proxy=
trusted-notification-proxy=127.0.0.1,::1
{% endif %}
#################################
# bind-config Location of named.conf
#
bind-config=/etc/powerdns/bindbackend.conf
#################################
# gsqlite3-database Filename of the SQLite3 database
#
# gsqlite3-database=
gsqlite3-database=/var/lib/powerdns/pdns.sqlite3

View File

@ -16,24 +16,18 @@ config-dir=/etc/powerdns
# dnssec=process-no-validate
dnssec=off
#################################
# forward-zones Zones for which we forward queries, comma separated domain=ip pairs
#
# forward-zones=
forward-zones=binary.kitchen=127.0.0.1:5300,23.172.in-addr.arpa=127.0.0.1:5300
#################################
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
#
local-address=127.0.0.1,{{ ansible_default_ipv4.address }}
local-address=127.0.0.1
#################################
# local-port port to listen on
#
local-port=53
local-port=5353
#################################
# query-local-address6 Send out local IPv6 queries from this address or addresses. Disabled by default, which also disables outgoing
# query-local-address6 Source IPv6 address for sending queries. IF UNSET, IPv6 WILL NOT BE USED FOR OUTGOING QUERIES
#
{% if global_ipv6 is defined %}
query-local-address6={{ global_ipv6 | ipaddr('address') }}