noby/ansible
1
0
Fork 0
forked from infra/ansible
Code Issues Pull Requests Projects Releases Wiki Activity

dns_intern: set RA flag on answers from auth for own zones

Browse Source
This commit is contained in:
Markus 2024-11-17 19:32:02 +01:00
parent 29d008ca04
commit 9179a8a1f6
1 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
roles/dns_intern/templates/dnsdist.conf.j2
View File

@ -9,17 +9,27 @@ newServer({address='127.0.0.1:5300', pool='authdns'})
newServer({address='127.0.0.1:5353', pool='resolve'})
{% if dns_secondary is defined %}
-- allow AXFR/IXFR only from slaves
-- allow AXFR/IXFR only from secondary
addAction(AndRule({OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(DNSRCode.REFUSED))
{% endif %}
-- allow NOTIFY only from master
-- allow NOTIFY only from primary
addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(DNSRCode.REFUSED))
-- use auth servers for own zones
addAction('binary.kitchen', PoolAction('authdns'))
addAction('23.172.in-addr.arpa', PoolAction('authdns'))
-- function to set RA flag
function setRA(dq)
dq.dh:setRA(true)
return DNSResponseAction.None
end
-- set RA flag for queries to own zones
addResponseAction('binary.kitchen', LuaResponseAction(setRA))
addResponseAction('23.172.in-addr.arpa', LuaResponseAction(setRA))
-- use resolver for anything else
addAction(AllRule(), PoolAction('resolve'))