aboutsummaryrefslogtreecommitdiffstats
path: root/roles/dns
diff options
context:
space:
mode:
authorAaron LI <aly@aaronly.me>2018-02-22 00:25:36 +0800
committerAaron LI <aly@aaronly.me>2018-03-14 11:28:44 +0800
commit71dfbbe0291218bcb3ffaa9997d8aaf6d98a3259 (patch)
tree4a72066a9bb5985524d2c0d3b974a7ace855d55f /roles/dns
parent6e2c2eb10093938e02a0d44726f71f82c7ffc5b8 (diff)
downloadansible-dfly-vps-71dfbbe0291218bcb3ffaa9997d8aaf6d98a3259.tar.bz2
role/dns: configure NSD as the stealth master with 2 domains
* Add "network" and "nsd" variables * Install and configure NSD as the authoritative stealth master server * Allow notify and transfer to slave masters: - freedns.afraid.org - 1984hosting.com * Add preliminary zone files for domains: - 233233.xyz - 1314233.xyz
Diffstat (limited to 'roles/dns')
-rw-r--r--roles/dns/handlers/main.yml6
-rw-r--r--roles/dns/tasks/main.yml32
-rw-r--r--roles/dns/templates/nsd.conf.j2148
-rw-r--r--roles/dns/templates/zones/1314233.xyz.zone.j221
-rw-r--r--roles/dns/templates/zones/233233.xyz.zone.j238
5 files changed, 245 insertions, 0 deletions
diff --git a/roles/dns/handlers/main.yml b/roles/dns/handlers/main.yml
new file mode 100644
index 0000000..aab63c8
--- /dev/null
+++ b/roles/dns/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: restart-unbound
+ command: rcrestart unbound
+
+- name: restart-nsd
+ command: rcrestart nsd
diff --git a/roles/dns/tasks/main.yml b/roles/dns/tasks/main.yml
index 59522a8..6712c37 100644
--- a/roles/dns/tasks/main.yml
+++ b/roles/dns/tasks/main.yml
@@ -20,11 +20,13 @@
command: >
fetch -o /usr/local/etc/unbound/root.hints
"https://www.internic.net/domain/named.cache"
+ notify: restart-unbound
- name: unbound - copy configuration
copy:
src: unbound.conf
dest: /usr/local/etc/unbound/unbound.conf
+ notify: restart-unbound
- name: unbound - enable and start service
command: rcenable unbound
@@ -33,3 +35,33 @@
copy:
src: resolv.conf
dest: /etc/resolv.conf
+
+- name: NSD - copy configuration
+ template:
+ src: nsd.conf.j2
+ dest: /usr/local/etc/nsd/nsd.conf
+ notify: restart-nsd
+
+- name: NSD - check existence of control key/cert
+ stat:
+ path: /usr/local/etc/nsd/nsd_control.key
+ register: stat_result
+
+- name: NSD - generate self-signed key/cert for control
+ command: nsd-control-setup
+ when: stat_result.stat.exists == False
+
+- name: NSD - create zones directory
+ file:
+ path: /usr/local/etc/nsd/zones
+ state: directory
+
+- name: NSD - copy zone files
+ template:
+ src: "zones/{{ item }}.zone.j2"
+ dest: "/usr/local/etc/nsd/zones/{{ item }}.zone"
+ with_items: "{{ nsd.zones }}"
+ notify: restart-nsd
+
+- name: NSD - enable and start service
+ command: rcenable nsd
diff --git a/roles/dns/templates/nsd.conf.j2 b/roles/dns/templates/nsd.conf.j2
new file mode 100644
index 0000000..9110210
--- /dev/null
+++ b/roles/dns/templates/nsd.conf.j2
@@ -0,0 +1,148 @@
+#
+# /usr/local/etc/nsd/nsd.conf
+# See nsd.conf(5)
+#
+# References
+# ----------
+# * NSD DNS Server Tutorial
+# https://calomel.org/nsd_dns.html
+# * Host Your own DNS, without Sacrificing Reliability
+# https://blog.tom-fitzhenry.me.uk/2012/12/host-your-own-dns-without-sacrificing-reliability.html
+# * Stealth (a.k.a. DMZ or Hidden Master) Name Server
+# http://www.zytrax.com/books/dns/ch4/#stealth
+# * Free Secondary/slave DNS services
+# http://www.frankb.us/dns/
+# * Free Secondary (slave) DNS
+# https://bornoe.org/blog/2015/10/free-secondary-slave-dns/
+#
+#
+# Aaron LI
+#
+
+# NOTE:
+# Authoritative master server in *stealth* mode, i.e., hidden master.
+#
+# Due to the importance of the DNS, many registrars require that at least 2
+# name servers are provided from different machines or even from different
+# countries. Maybe you could create another glue record with the same IP
+# address to fool the registrar, but some registrars may further check the
+# IP addresses. Nevertheless, it is highly unrecommended to host your own
+# DNS on single machine, and secondary/slave DNS services should be used.
+# One can even configure a hidden master DNS with several slaves, which
+# can greatly reduce the traffic to the (small) master DNS, since only the
+# configured slaves have access to it, and the better security (avoid DDoS).
+
+server:
+ # Specify the interfaces to bind.
+ # Default are the wildcard interfaces 0.0.0.0 and ::0).
+ ip-address: {{ network.ipv4.address }}
+ ip-address: {{ network.ipv6.address }}
+
+ # Use the reuseport socket option for performance.
+ # Default: no.
+ reuseport: yes
+
+ # Listen on IPv4 connections
+ do-ip4: yes
+
+ # Listen on IPv6 connections
+ do-ip6: yes
+
+ # The file used to store the compiled zone information.
+ # If set to "" then no disk-database is used, less memory used
+ # but zone updates are not (immediately) spooled to disk.
+ #database: "/var/db/nsd/nsd.db"
+ database: ""
+
+ # The directory for "zonefile" files. The daemon chdirs here.
+ #zonesdir: "/usr/local/etc/nsd"
+
+ # The list of dynamically added zones.
+ #zonelistfile: "/var/db/nsd/zone.list"
+
+ # Don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries
+ hide-version: yes
+
+ # Identify the server (CH TXT ID.SERVER entry)
+ identity: ""
+
+ # Statistics are produced every number of seconds. Prints to log.
+ # Default is 0, meaning no statistics are produced.
+ # NOTE: requires BIND 8 statistics, which is disabled in the package
+ #statistics: 7200
+
+ # Verbosity level (0, 1, 2).
+ # Level 0 will print warnings and errors, and other events that are
+ # important to keep NSD running.
+ verbosity: 0
+
+ # Log messages to file. Default to stderr and syslog (with
+ # facility LOG_DAEMON). stderr disappears when daemon goes to bg.
+ #logfile: "/var/log/nsd.log"
+
+
+# Remote control config section.
+#
+remote-control:
+ # Enable remote control with nsd-control(8) here.
+ control-enable: yes
+
+ # Interfaces listened to for control. Default is on localhost.
+ control-interface: 127.0.0.1
+ control-interface: ::1
+
+ # Server and nsd-control key and certificate files for remote control.
+ # Set up the keys and certificates with nsd-control-setup.
+ server-key-file: "/usr/local/etc/nsd/nsd_server.key"
+ server-cert-file: "/usr/local/etc/nsd/nsd_server.pem"
+ control-key-file: "/usr/local/etc/nsd/nsd_control.key"
+ control-cert-file: "/usr/local/etc/nsd/nsd_control.pem"
+
+
+# Secret keys for TSIGs that secure zone transfers.
+# You could include: "secret.keys" and put the "key:" statements there,
+# and give that file special access control permissions.
+#
+key:
+ # The key name is used to refer to this key in the access control list,
+ # and must be correct for TSIG to work.
+ name: "{{ nsd.key_name }}"
+
+ # The base64-encoded shared secret.
+ # e.g.: dd if=/dev/random bs=32 count=1 | openssl base64
+ secret: "{{ nsd.key_secret }}"
+
+
+# Patterns have zone configuration that are shared by one or more zones.
+#
+pattern:
+ # Name by which the pattern is referred to
+ name: "stealth_zones"
+
+ # The zonefile for the zones that use this pattern.
+ # If relative then from the zonesdir (inside the chroot).
+ # the name is processed: %s - zone name (as appears in zone:name).
+ zonefile: "zones/%s.zone"
+
+ # Use "%s" to use the name of the zone to track its statistics from
+ # nsd-control stats and stats_noreset.
+ zonestats: "%s"
+
+ # Notify these slaves when the master zone changes
+ notify: 174.37.196.55 NOKEY # freedns.afraid.org
+ notify: 93.95.224.6 NOKEY # 1984hosting.com
+
+ # Allow these IPs and TSIG to transfer zones.
+ provide-xfr: 174.37.196.55 NOKEY # freedns.afraid.org
+ provide-xfr: 93.95.224.6 NOKEY # 1984hosting.com
+
+
+# Fixed zone entries. Here you can config zones that cannot be deleted.
+# Zones that are dynamically added and deleted are put in the zonelist file.
+#
+{% for zone in nsd.zones %}
+zone:
+ name: "{{ zone }}"
+ include-pattern: "stealth_zones"
+
+{% endfor %}
diff --git a/roles/dns/templates/zones/1314233.xyz.zone.j2 b/roles/dns/templates/zones/1314233.xyz.zone.j2
new file mode 100644
index 0000000..ede92da
--- /dev/null
+++ b/roles/dns/templates/zones/1314233.xyz.zone.j2
@@ -0,0 +1,21 @@
+$ORIGIN 1314233.xyz.
+$TTL 1h
+
+@ IN SOA ns.1314233.xyz. admin.1314233.xyz. (
+ 2018022120 ; serial number
+ 1d ; refresh
+ 2h ; retry
+ 4w ; expire
+ 1h ; minimum TTL
+ )
+
+@ IN NS ns2.afraid.org.
+
+@ IN A {{ network.ipv4.address }}
+@ IN AAAA {{ network.ipv6.address }}
+
+www IN CNAME www.233233.xyz.
+g IN CNAME g.233233.xyz.
+zw IN CNAME zw.233233.xyz.
+
+; vim: set ft=bindzone :
diff --git a/roles/dns/templates/zones/233233.xyz.zone.j2 b/roles/dns/templates/zones/233233.xyz.zone.j2
new file mode 100644
index 0000000..9a71750
--- /dev/null
+++ b/roles/dns/templates/zones/233233.xyz.zone.j2
@@ -0,0 +1,38 @@
+$ORIGIN 233233.xyz.
+$TTL 1h
+
+; WARNING:
+; A CNAME record is NOT allowed to coexist with *any other* data!
+; Therefore one can't have a CNAME Record at the zone root, because
+; the zone root must have two mandatory records: SOA and NS.
+;
+; According to the specification: if a CNAME RR is present at a node,
+; no other data should be present; this ensures that the data for a
+; canonical name and its aliases cannot be different. This rule also
+; insures that a cached CNAME can be used without checking with an
+; authoritative server for other RR types.
+
+@ IN SOA ns.233233.xyz. admin.233233.xyz. (
+ 2018022123 ; serial number
+ 1d ; refresh
+ 2h ; retry
+ 4w ; expire
+ 1h ; minimum TTL
+ )
+
+@ IN NS ns2.afraid.org.
+
+;@ IN MX 10 mail.233233.xyz.
+
+@ IN A {{ network.ipv4.address }}
+@ IN AAAA {{ network.ipv6.address }}
+;mail IN A {{ network.ipv4.address }}
+;mail IN AAAA {{ network.ipv6.address }}
+
+www IN CNAME @
+g IN CNAME @
+zw IN CNAME @
+
+;@ IN TXT "v=spf1 mx -all"
+
+; vim: set ft=bindzone :