diff options
author | Aaron LI <aly@aaronly.me> | 2018-02-22 00:25:36 +0800 |
---|---|---|
committer | Aaron LI <aly@aaronly.me> | 2018-03-14 11:28:44 +0800 |
commit | 71dfbbe0291218bcb3ffaa9997d8aaf6d98a3259 (patch) | |
tree | 4a72066a9bb5985524d2c0d3b974a7ace855d55f /roles/dns | |
parent | 6e2c2eb10093938e02a0d44726f71f82c7ffc5b8 (diff) | |
download | ansible-dfly-vps-71dfbbe0291218bcb3ffaa9997d8aaf6d98a3259.tar.bz2 |
role/dns: configure NSD as the stealth master with 2 domains
* Add "network" and "nsd" variables
* Install and configure NSD as the authoritative stealth master server
* Allow notify and transfer to slave masters:
- freedns.afraid.org
- 1984hosting.com
* Add preliminary zone files for domains:
- 233233.xyz
- 1314233.xyz
Diffstat (limited to 'roles/dns')
-rw-r--r-- | roles/dns/handlers/main.yml | 6 | ||||
-rw-r--r-- | roles/dns/tasks/main.yml | 32 | ||||
-rw-r--r-- | roles/dns/templates/nsd.conf.j2 | 148 | ||||
-rw-r--r-- | roles/dns/templates/zones/1314233.xyz.zone.j2 | 21 | ||||
-rw-r--r-- | roles/dns/templates/zones/233233.xyz.zone.j2 | 38 |
5 files changed, 245 insertions, 0 deletions
diff --git a/roles/dns/handlers/main.yml b/roles/dns/handlers/main.yml new file mode 100644 index 0000000..aab63c8 --- /dev/null +++ b/roles/dns/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: restart-unbound + command: rcrestart unbound + +- name: restart-nsd + command: rcrestart nsd diff --git a/roles/dns/tasks/main.yml b/roles/dns/tasks/main.yml index 59522a8..6712c37 100644 --- a/roles/dns/tasks/main.yml +++ b/roles/dns/tasks/main.yml @@ -20,11 +20,13 @@ command: > fetch -o /usr/local/etc/unbound/root.hints "https://www.internic.net/domain/named.cache" + notify: restart-unbound - name: unbound - copy configuration copy: src: unbound.conf dest: /usr/local/etc/unbound/unbound.conf + notify: restart-unbound - name: unbound - enable and start service command: rcenable unbound @@ -33,3 +35,33 @@ copy: src: resolv.conf dest: /etc/resolv.conf + +- name: NSD - copy configuration + template: + src: nsd.conf.j2 + dest: /usr/local/etc/nsd/nsd.conf + notify: restart-nsd + +- name: NSD - check existence of control key/cert + stat: + path: /usr/local/etc/nsd/nsd_control.key + register: stat_result + +- name: NSD - generate self-signed key/cert for control + command: nsd-control-setup + when: stat_result.stat.exists == False + +- name: NSD - create zones directory + file: + path: /usr/local/etc/nsd/zones + state: directory + +- name: NSD - copy zone files + template: + src: "zones/{{ item }}.zone.j2" + dest: "/usr/local/etc/nsd/zones/{{ item }}.zone" + with_items: "{{ nsd.zones }}" + notify: restart-nsd + +- name: NSD - enable and start service + command: rcenable nsd diff --git a/roles/dns/templates/nsd.conf.j2 b/roles/dns/templates/nsd.conf.j2 new file mode 100644 index 0000000..9110210 --- /dev/null +++ b/roles/dns/templates/nsd.conf.j2 @@ -0,0 +1,148 @@ +# +# /usr/local/etc/nsd/nsd.conf +# See nsd.conf(5) +# +# References +# ---------- +# * NSD DNS Server Tutorial +# https://calomel.org/nsd_dns.html +# * Host Your own DNS, without Sacrificing Reliability +# https://blog.tom-fitzhenry.me.uk/2012/12/host-your-own-dns-without-sacrificing-reliability.html +# * Stealth (a.k.a. DMZ or Hidden Master) Name Server +# http://www.zytrax.com/books/dns/ch4/#stealth +# * Free Secondary/slave DNS services +# http://www.frankb.us/dns/ +# * Free Secondary (slave) DNS +# https://bornoe.org/blog/2015/10/free-secondary-slave-dns/ +# +# +# Aaron LI +# + +# NOTE: +# Authoritative master server in *stealth* mode, i.e., hidden master. +# +# Due to the importance of the DNS, many registrars require that at least 2 +# name servers are provided from different machines or even from different +# countries. Maybe you could create another glue record with the same IP +# address to fool the registrar, but some registrars may further check the +# IP addresses. Nevertheless, it is highly unrecommended to host your own +# DNS on single machine, and secondary/slave DNS services should be used. +# One can even configure a hidden master DNS with several slaves, which +# can greatly reduce the traffic to the (small) master DNS, since only the +# configured slaves have access to it, and the better security (avoid DDoS). + +server: + # Specify the interfaces to bind. + # Default are the wildcard interfaces 0.0.0.0 and ::0). + ip-address: {{ network.ipv4.address }} + ip-address: {{ network.ipv6.address }} + + # Use the reuseport socket option for performance. + # Default: no. + reuseport: yes + + # Listen on IPv4 connections + do-ip4: yes + + # Listen on IPv6 connections + do-ip6: yes + + # The file used to store the compiled zone information. + # If set to "" then no disk-database is used, less memory used + # but zone updates are not (immediately) spooled to disk. + #database: "/var/db/nsd/nsd.db" + database: "" + + # The directory for "zonefile" files. The daemon chdirs here. + #zonesdir: "/usr/local/etc/nsd" + + # The list of dynamically added zones. + #zonelistfile: "/var/db/nsd/zone.list" + + # Don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries + hide-version: yes + + # Identify the server (CH TXT ID.SERVER entry) + identity: "" + + # Statistics are produced every number of seconds. Prints to log. + # Default is 0, meaning no statistics are produced. + # NOTE: requires BIND 8 statistics, which is disabled in the package + #statistics: 7200 + + # Verbosity level (0, 1, 2). + # Level 0 will print warnings and errors, and other events that are + # important to keep NSD running. + verbosity: 0 + + # Log messages to file. Default to stderr and syslog (with + # facility LOG_DAEMON). stderr disappears when daemon goes to bg. + #logfile: "/var/log/nsd.log" + + +# Remote control config section. +# +remote-control: + # Enable remote control with nsd-control(8) here. + control-enable: yes + + # Interfaces listened to for control. Default is on localhost. + control-interface: 127.0.0.1 + control-interface: ::1 + + # Server and nsd-control key and certificate files for remote control. + # Set up the keys and certificates with nsd-control-setup. + server-key-file: "/usr/local/etc/nsd/nsd_server.key" + server-cert-file: "/usr/local/etc/nsd/nsd_server.pem" + control-key-file: "/usr/local/etc/nsd/nsd_control.key" + control-cert-file: "/usr/local/etc/nsd/nsd_control.pem" + + +# Secret keys for TSIGs that secure zone transfers. +# You could include: "secret.keys" and put the "key:" statements there, +# and give that file special access control permissions. +# +key: + # The key name is used to refer to this key in the access control list, + # and must be correct for TSIG to work. + name: "{{ nsd.key_name }}" + + # The base64-encoded shared secret. + # e.g.: dd if=/dev/random bs=32 count=1 | openssl base64 + secret: "{{ nsd.key_secret }}" + + +# Patterns have zone configuration that are shared by one or more zones. +# +pattern: + # Name by which the pattern is referred to + name: "stealth_zones" + + # The zonefile for the zones that use this pattern. + # If relative then from the zonesdir (inside the chroot). + # the name is processed: %s - zone name (as appears in zone:name). + zonefile: "zones/%s.zone" + + # Use "%s" to use the name of the zone to track its statistics from + # nsd-control stats and stats_noreset. + zonestats: "%s" + + # Notify these slaves when the master zone changes + notify: 174.37.196.55 NOKEY # freedns.afraid.org + notify: 93.95.224.6 NOKEY # 1984hosting.com + + # Allow these IPs and TSIG to transfer zones. + provide-xfr: 174.37.196.55 NOKEY # freedns.afraid.org + provide-xfr: 93.95.224.6 NOKEY # 1984hosting.com + + +# Fixed zone entries. Here you can config zones that cannot be deleted. +# Zones that are dynamically added and deleted are put in the zonelist file. +# +{% for zone in nsd.zones %} +zone: + name: "{{ zone }}" + include-pattern: "stealth_zones" + +{% endfor %} diff --git a/roles/dns/templates/zones/1314233.xyz.zone.j2 b/roles/dns/templates/zones/1314233.xyz.zone.j2 new file mode 100644 index 0000000..ede92da --- /dev/null +++ b/roles/dns/templates/zones/1314233.xyz.zone.j2 @@ -0,0 +1,21 @@ +$ORIGIN 1314233.xyz. +$TTL 1h + +@ IN SOA ns.1314233.xyz. admin.1314233.xyz. ( + 2018022120 ; serial number + 1d ; refresh + 2h ; retry + 4w ; expire + 1h ; minimum TTL + ) + +@ IN NS ns2.afraid.org. + +@ IN A {{ network.ipv4.address }} +@ IN AAAA {{ network.ipv6.address }} + +www IN CNAME www.233233.xyz. +g IN CNAME g.233233.xyz. +zw IN CNAME zw.233233.xyz. + +; vim: set ft=bindzone : diff --git a/roles/dns/templates/zones/233233.xyz.zone.j2 b/roles/dns/templates/zones/233233.xyz.zone.j2 new file mode 100644 index 0000000..9a71750 --- /dev/null +++ b/roles/dns/templates/zones/233233.xyz.zone.j2 @@ -0,0 +1,38 @@ +$ORIGIN 233233.xyz. +$TTL 1h + +; WARNING: +; A CNAME record is NOT allowed to coexist with *any other* data! +; Therefore one can't have a CNAME Record at the zone root, because +; the zone root must have two mandatory records: SOA and NS. +; +; According to the specification: if a CNAME RR is present at a node, +; no other data should be present; this ensures that the data for a +; canonical name and its aliases cannot be different. This rule also +; insures that a cached CNAME can be used without checking with an +; authoritative server for other RR types. + +@ IN SOA ns.233233.xyz. admin.233233.xyz. ( + 2018022123 ; serial number + 1d ; refresh + 2h ; retry + 4w ; expire + 1h ; minimum TTL + ) + +@ IN NS ns2.afraid.org. + +;@ IN MX 10 mail.233233.xyz. + +@ IN A {{ network.ipv4.address }} +@ IN AAAA {{ network.ipv6.address }} +;mail IN A {{ network.ipv4.address }} +;mail IN AAAA {{ network.ipv6.address }} + +www IN CNAME @ +g IN CNAME @ +zw IN CNAME @ + +;@ IN TXT "v=spf1 mx -all" + +; vim: set ft=bindzone : |