Commit ae1f2283 authored by Michele Salerno's avatar Michele Salerno

fork github

parents
<BS># Ansible role `bind`
[![N|Solid](http://basilicata.ninux.org/images/Logo_Ninux_Basilicata_600-192.png)](http://basilicata.ninux.org)
E' un playbook per installare configurare un Server DNS con BIND ISC per più domini Debian/Ubuntu (prossimamente anche per RedHat/CentOS). NEllo specifico il playbook è diviso in 2 ruoli, uno di base COMMON ed uno per BIND.
- Common configura principalmente:
- porta ssh
- utenti e chiavi ssh
- banner
- configura il profile per gli alias, colori nel terminale
- installa BIND
- configurazione dei file principali
- master server
- slave server
- imposta i file di zona
Abbiamo il supporto per più zone e per IPv6.
## Installazione di Ansible su Debian
Add the following line to /etc/apt/sources.list
~~~
deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main
$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367
$ sudo apt-get update
$ sudo apt-get install ansible
~~~
## Le Variabili per il ruolo di Bind9
Variables are not required, unless specified.
| Variable | Default | Comments (type) |
| :--- | :--- | :--- |
| `bind_acls` | `[]` | A list of ACL definitions, which are dicts with fields `name` and `match_list`. See below for an example. |
| `bind_dns_keys` | `[]` | A list of binding keys, which are dicts with fields `name` `algorithm` and `secret`. See below for an example. |
| `bind_allow_query` | `['localhost']` | A list of hosts that are allowed to query this DNS server. Set to ['any'] to allow all hosts |
| `bind_allow_recursion` | `['any']` | Similar to bind_allow_query, this option applies to recursive queries. |
| `bind_check_names` | `[]` | Check host names for compliance with RFC 952 and RFC 1123 and take the defined actioni (e.g. `warn`, `ignore`, `fail`). |
| `bind_dnssec_enable` | `true` | Is DNSSEC enabled |
| `bind_dnssec_validation` | `true` | Is DNSSEC validation enabled |
| `bind_extra_include_files` | `[]` | |
| `bind_forward_only` | `false` | If `true`, BIND is set up as a caching name server |
| `bind_forwarders` | `[]` | A list of name servers to forward DNS requests to. |
| `bind_listen_ipv4` | `['127.0.0.1']` | A list of the IPv4 address of the network interface(s) to listen on. Set to ['any'] to listen on all interfaces. |
| `bind_listen_ipv6` | `['::1']` | A list of the IPv6 address of the network interface(s) to listen on |
| `bind_log` | `data/named.run` | Path to the log file |
| `bind_query_log` | - | When defined (e.g. `data/query.log`), this will turn on the query log |
| `bind_recursion` | `false` | Determines whether requests for which the DNS server is not authoritative should be forwarded†. |
| `bind_rrset_order` | `random` | Defines order for DNS round robin (either `random` or `cyclic`) |
| `bind_zone_dir` | - | When defined, sets a custom absolute path to the server directory (for zone files, etc.) instead of the default. |
| `bind_zone_domains` | n/a | A list of domains to configure, with a seperate dict for each domain, with relevant details |
| `- allow_update` | `['none']` | A list of hosts that are allowed to dynamically update this DNS zone. |
| `- also_notify` | - | A list of servers that will receive a notification when the master zone file is reloaded. |
| `- delegate` | `[]` | Zone delegation. See below this table for examples. |
| `- hostmaster_email` | `hostmaster` | The e-mail address of the system administrator for the zone |
| `- hosts` | `[]` | Host definitions. See below this table for examples. |
| `- ipv6_networks` | `[]` | A list of the IPv6 networks that are part of the domain, in CIDR notation (e.g. 2001:db8::/48) |
| `- mail_servers` | `[{name: mail, preference: 10}]` | A list of dicts (with fields `name` and `preference`) specifying the mail servers for this domain. |
| `- name_servers` | `[ansible_hostname]` | A list of the DNS servers for this domain. |
| `- name` | `example.com` | The domain name |
| `- networks` | `['10.0.2']` | A list of the networks that are part of the domain |
| `- other_name_servers` | `[]` | A list of the DNS servers outside of this domain. |
| `- services` | `[]` | A list of services to be advertized by SRV records |
| `- text` | `[]` | A list of dicts with fields `name` and `text`, specifying TXT records. `text` can be a list or string. |
| `bind_zone_file_mode` | 0640 | The file permissions for the main config file (named.conf) |
| `bind_zone_master_server_ip` | - | **(Required)** The IP address of the master DNS server. |
| `bind_zone_minimum_ttl` | `1D` | Minimum TTL field in the SOA record. |
| `bind_zone_time_to_expire` | `1W` | Time to expire field in the SOA record. |
| `bind_zone_time_to_refresh` | `1D` | Time to refresh field in the SOA record. |
| `bind_zone_time_to_retry` | `1H` | Time to retry field in the SOA record. |
| `bind_zone_ttl` | `1W` | Time to Live field in the SOA record. |
### Variabili minime da importare per le zone:
| Variable | Master | Slave |
| :--- | :---: | :---: |
| `bind_zone_domains` | V | V |
| ` - name` | V | V |
| ` - networks` | V | -- |
| ` - name_servers` | V | -- |
| ` - hosts` | V | -- |
| `bind_listen_ipv4` | V | V |
| `bind_allow_query` | V | V |
### Esempio definizione di un dominio
```Yaml
bind_zone_domains:
- name: ninux.nnxx
hosts:
- name: dns
ip: 10.27.253.10
ipv6: 2001:db8::1
ttl: 900
aliases:
- ns
- name: '@'
ip:
- 10.27.253.10
- 10.27.253.11
ipv6:
- 2001:db8::1
- 2001:db8::2
aliases:
- ns1
- name: ns2
ip: 10.27.22.5
networks:
- '10.27.250'
- '10.27'
- '10'
delegate:
- zone: basilicata.ninux.nnxx
dns: 10.27.22.5
services:
- name: _ldap._tcp
weight: 100
port: 88
target: dc001
```
### Configurazione minima per lo Slave
```Yaml
bind_listen_ipv4: ['any']
bind_allow_query: ['any']
bind_zone_master_server_ip: 10.27.250.1
bind_zone_domains:
- name: ninux.nnxx
```
### Hosts
Gli host che questo server dovrà risolvere devono essere impostati sotto `hosts` nei campi `name`, `ip` e `aliases`
Tu puoi specificare IP multipli per un host aggiungendo allo stesso nome gli IP in `bind_zone_hosts`. Questo risulterà in multipli record A/AAAA records per un host e consentire al [DNS round robin](http://www.zytrax.com/books/dns/ch9/rr.html) una semplice tecnica di load balancing. L'ordine degli ip saranno configurati nella variabile `bind_rrset_order`.
### Networks
Non tutti gli host sono nella stessa rete. Per ottere un record PTR dovranno essere specificate in `networks`. Solo le reti vanno specificate qui! Ad esempio per la rete di Ninux Basilicata andrà inserito "10.27" nella variabile.
### Zone delgation
Per delegare una zona DNS è sufficiente creare un record `NS` (sotto delegato) che è l'equivalente di:
```
foo IN NS 192.0.2.1
```
### Service records
I record (SRV) posso essere aggiunti come servizio. Questi sono campi obbligatori, come `name` (service name), `target` (host providing the service), `port` (TCP/UDP porta del servizio) come campi opzionali abbiamo `priority` (default = 0) e `weight` (default = 0).
### ACLs
Le ACLs possono essere definite in questo modo:
```Yaml
bind_acls:
- name: acl_trasfer
match_list:
- 192.0.2.0/24
- 10.0.0.0/8
```
Il nome della ACLs verra' aggiunta in `allow-transfer` nelle opzioni globali.
### Esempio del playbook
```Yaml
- hosts: dns-server
become: "{{ sudo | default('yes') }}"
roles:
- common
- bind
vars:
# common
common_ipv4_forward: 1
common_ssh_port: 2400
# variabili per ruolo common
users:
- name: michele
authorized:
- ./keys/michele.pub
- name: nino
authorized:
- ./keys/nino.pub
- name: marco
authorized:
- ./keys/hispanico.pub
- name: federico
authorized:
- ./keys/federico-1.pub
- ./keys/federico-2.pub
# bind
bind_listen_ipv4:
- 127.0.0.1
- 176.9.204.50
- 176.9.187.218
bind_zone_master_server_ip: 176.9.204.50
pre_tasks:
- name: Get dict for each zone
include_vars:
dir: zones
- name: Merge zone dicts
set_fact:
bind_zone_domains:
"{{ nnxx_ninux_org }} +
{{ ninux_nnxx }}"
```
### Esempio client nsudate per OpenWRT
```bash
#!/bin/sh
if which nsupdate >/dev/null; then
ETH=br-lan
DOMAIN=router.nnxx
DNS=10.27.253.10
SUB=$(cat /proc/sys/kernel/hostname)
ECHO=$(which echo)
NSUPDATE=$(which nsupdate)
IP=$(ip addr show dev $ETH | grep 'inet ' | awk '{split($2,a,"/");print a[1];}')
$ECHO "server $DNS" > /tmp/nsupdate
$ECHO "debug yes" >> /tmp/nsupdate
$ECHO "zone $DOMAIN." >> /tmp/nsupdate
$ECHO "update delete $SUB.$DOMAIN" >> /tmp/nsupdate
$ECHO "update add $SUB.$DOMAIN 60 A $IP" >> /tmp/nsupdate
$ECHO "send" >> /tmp/nsupdate
$NSUPDATE -v /tmp/nsupdate 2>&1
else
echo installo nsupdate, riavvia lo script dopo
sleep 5
opkg update
opkg install bind-client
fi
```
This diff is collapsed.
- hosts: common
become: "{{ sudo | default('yes') }}"
roles:
- common
vars:
# common
common_ipv4_forward: 1
common_ssh_port: 2400
# variabili per ruolo common
users:
- name: michele
authorized:
- ./keys/michele.pub
- name: nino
authorized:
- ./keys/nino.pub
- name: marco
authorized:
- ./keys/hispanico.pub
- name: federico
authorized:
- ./keys/federico-1.pub
- ./keys/federico-2.pub
- hosts: dns_forwarder
become: "{{ sudo | default('yes') }}"
roles:
- bind
tags:
- bind-forwarder
vars:
bind_listen_ipv4:
- any
bind_zone_master_server_ip: 10.27.253.10
bind_allow_recursion: any
bind_forward_only: true
bind_recursion: true
pre_tasks:
- name: Get dict for each zone
include_vars:
dir: zones
- name: Merge zone dicts
set_fact:
bind_zone_domains:
"{{ basilicata_nnxx }} +
{{ router_nnxx }}"
- hosts: dns_server
become: "{{ sudo | default('yes') }}"
roles:
- bind
tags:
- bind-server
vars:
bind_listen_ipv4:
- 127.0.0.1
- 10.27.253.10
- 10.27.253.11
- 176.9.204.50
- 176.9.187.218
bind_zone_master_server_ip: 176.9.204.50
pre_tasks:
- name: Get dict for each zone
include_vars:
dir: zones
- name: Merge zone dicts
set_fact:
bind_zone_domains:
"{{ dns_nnxx_org }} +
{{ basilicata_nnxx }} +
{{ router_nnxx }}"
[common]
ns1.dns-nnxx.org ansible_user=root ansible_port=2400 ansible_host=176.9.204.50
ns2.dns-nnxx.org ansible_user=root ansible_port=2400 ansible_host=176.9.187.218
pi-hole.dns-nnxx.org ansible_user=root ansible_port=2400 ansible_host=176.9.187.217
[vpn]
ns1.dns-nnxx.org ansible_user=root ansible_port=2400 ansible_host=176.9.204.50
ns2.dns-nnxx.org ansible_user=root ansible_port=2400 ansible_host=176.9.187.218
[olsrd]
ns1.dns-nnxx.org ansible_user=root ansible_port=2400 ansible_host=176.9.204.50 vpnlan=10.27.253.10
ns2.dns-nnxx.org ansible_user=root ansible_port=2400 ansible_host=176.9.187.218 vpnlan=10.27.253.11
[dns_server]
ns1.dns-nnxx.org ansible_user=root ansible_port=2400 ansible_host=176.9.204.50
ns2.dns-nnxx.org ansible_user=root ansible_port=2400 ansible_host=176.9.187.218
[dns_forwarder]
your-local-rp ansible_user=root ansible_port=2400 ansible_host=your-local-ip
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDqcYaTryjtUJO2fr5NZy0o9NiRjYUsCTsf3vYnMMt6pvH9i2QRdLEqzwi3ZF8lW1ZxBw9Bf7nWqeegCYV+SJ9BJNYALXnW1bnP2suHTenxSWFZYE4RfJ3/7CPXp9Xa71E5nKtldteY2Dx4WYdYhTpermkojsco2INl8/dejMTPFfS41TJ3T8IZ2tpEFz9kGiIB+olmhE6Qx5cfzGfSXw2It0qf1B8e0rJLmnwNIE4+v0FPHQh3Wyy4veCYquOwYnPhnBI710AbU4qwSx19nstcSodKNl6OSfd0c+AzETPdCJPVIaYZ8uViqP3W4RGFzN8bTT3pSnIqQuzq6vlrCb5x nemesis@DfCapoano220250
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/uuiux9qC/+fSYnzSkPC+zgqKyiPbIJqJLQ1I9UkkV6dT4TncuxHHZ55dHUdgbXzC8dDIkRgMl8scNO8LF31MOJoEtN9YBzAqxKJSZhg4QYva4bK2zA4faxwtZbtOyQ7x4IYNt5Z+Vv381cM1g2NyGetS3qs0mPXt9JaQRi4aYre7MtSkOOJymwpJj4pPJz8t/H3pVLyi17FAXXWVh1j42C4Mi7IBgtYn0T4GMn0FGx3+dRv2rDrwDaA0guC9GKH8PzHsbrlH1ibewJ5VLFcUzFy6CY14muXTFNb/XyvK0Z8fCU2UR3VILVDotDJfJCOEhhOs0uKLNOeyoApbeS2N nemesis@freedom
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxbDM4M1AsLk84Ym0WPPSVI3aHUUNt1ynrNjrDdRuNHXMvFykBjQUzDpiK6kmraY4hytO1P+BH4ylLaN/FgY/6AlnYVE3lENPFKfrLCAqNMMUseZMxeMwrpIqNe/9wr0OFf3X0QZcuClcqpn8o+XtzCGF3e+6l9JAtS+CFgzFkL4KQkNfqd9vlFff3CPXv4B/5VqQt4xMsq44RcXuf00pj/2WGism7II1GYQpzn9we0tQRNZvH/mudMCh77Rka0c1ZNmYLLJa8CGSqqHiINgyK2mDSL0LuJi30SZyuwCRxt+Q4TCqZHtoKeMZauCVmHECXt+BAFVX7zDhXS2PonfU/Q== Hispanico@Phoenix.local
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEApsvOroj54zMlINiTYu81eJp14as8n9x+JQy68V1ETQnTfCONTvOxeFqEM4Uarm+VJ1T9PYZ/I+KxUbFRMKdJ7edzyBNGFvS7/7fr2SV1b5t97hcAHT1Q98lKZLwxEddSNsYv9MVteJ7TIyTWo/6dGZMeJW9+e+iynwDnNn9RANrb6TBQFF+Q9LpjvncoK35aDZINytFO4m4gGuRUuP+eEPnEXk6E5S0p2hScpCXDSO8v1Lok5/3cOuLt2KK9XnKLVVkfX5VBlEgOGno0xSs6JPPBJT0cQOGoc7qiMMcJVfv6rdQaQB6dtfYMRkBycXLat5EAIqN7qW1XW6+HVhA/RQ== mikysal78@gmail.com
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA3w4VwPmK8e8CCdu2JXs1RMwPCxFScUjgoczvI55aXmCVwSfTvLUX46ONrney0kInBvnXQuuLyc5xbN/kCpLW54MfHoHkWdf8V4daLfhDOeMbIap0JMAk5OXV80L+C8J4J51ZYd0wIF+Hyp19yLJA9gB9uI8NK6139H+sWlCrx/p3Q0jxAbqd9JQ22RVmhjWJtNOLrJYUSCMqr8L50tnYWIgwhCg9dl4e+JXS9Qztl7+MHWreUsplST0DHfSwxfBIQaVArt0n2R9UIWL9aDVEhpOIznxC6g9TosqsdfRko1eSpP7wbWEB533P1OcZmr7IiT+MaK5PNuEiiQP2+eoFFQ== root@sip_lenny
- hosts: olsrd
become: "{{ sudo | default('yes') }}"
roles:
- olsrd2
vars:
olsrd2_interfaces:
- vpnbas
- eth0
- wlan0
# BSD License
Copyright (c) 2014, Bert Van Vreckem, (bert.vanvreckem@gmail.com)
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# roles/bind/defaults/main.yml
---
bind_log: "data/named.run"
#bind_zone_domains:
# - name: "dns-nnxx.org"
# hostmaster_email: "hostmaster"
# networks:
# - "10.27"
# List of acls.
bind_acls:
- name: transfer
match_list:
- 10.0.0.0/8
- 176.9.187.208/28
- 176.9.204.48/29
- 188.40.254.208/29
- name: trusted
match_list:
- localhost
- 10.0.0.0/8
# Key binding for slaves
bind_dns_keys: []
# - name: master_key
# algorithm: hmac-sha256
# secret: "azertyAZERTY123456"
# List of IPv4 address of the network interface(s) to listen on. Set to "any"
# to listen on all interfaces
bind_listen_ipv4:
- "127.0.0.1"
# List of IPv6 address of the network interface(s) to listen on.
bind_listen_ipv6:
- "::1"
# List of hosts that are allowed to query this DNS server.
bind_allow_query:
- "any"
# Determines whether recursion should be allowed. Typically, an authoritative
# name server should have recursion turned OFF.
bind_recursion: true
bind_allow_recursion:
- "trusted"
# Allows BIND to be set up as a caching name server
bind_forward_only: false
# List of name servers to forward DNS requests to.
bind_forwarders:
- "8.8.8.8"
- "8.8.4.4"
# DNS round robin order (random or cyclic)
bind_rrset_order: "random"
# DNSSEC configuration
bind_dnssec_enable: true
bind_dnssec_validation: auto
bind_extra_include_files: []
# SOA information
bind_zone_ttl: "2D"
bind_zone_time_to_refresh: "8H"
bind_zone_time_to_retry: "2H"
bind_zone_time_to_expire: "1W"
bind_zone_minimum_ttl: "1D"
# Custom location for master zone files
bind_zone_dir: "{{ bind_dir }}"
# File mode for master zone files (needs to be something like 0660 for dynamic updates)
bind_zone_file_mode: "0660"
dns_resolvconf_file: /etc/resolv.conf
dns_searches: ninux.nnxx
dns_nameservers:
- 127.0.0.1
- 8.8.8.8
- 8.8.4.4
#!/bin/bash
set -e; set -u
COMMON_SUBDOMAINS="www mail mx a.mx smtp pop imap blog en ftp ssh login"
EXTENDED=""
while :; do case "$1" in
--) shift; break ;;
-x) EXTENDED=y; shift ;;
-s) NS="$2"; shift 2 ;;
*) break ;;
esac; done
DOM="$1"; shift
TYPE="${1:-any}"
test "${NS:-}" || NS=$(dig +short SOA "$DOM" | awk '{print $1}')
test "$NS" && NS="@$NS"
if test "$EXTENDED"; then
dig +nocmd $NS "$DOM" +noall +answer "$TYPE"
wild_ips=$(dig +short "$NS" "*.$DOM" "$TYPE" | tr '\n' '|')
wild_ips="${wild_ips%|}"
for sub in $COMMON_SUBDOMAINS; do
dig +nocmd $NS "$sub.$DOM" +noall +answer "$TYPE"
done | cat #grep -vE "${wild_ips}"
dig +nocmd $NS "*.$DOM" +noall +answer "$TYPE"
else
dig +nocmd $NS "$DOM" +noall +answer "$TYPE"
fi
# We have named running, but no NIS (yet)
order bind hosts
# Allow multiple addrs
multi on
# Guard against spoof attempts
nospoof on
# Trim local domain (not really necessary).
#trim ninux.nnxx.
# roles/bind/handlers/main.yml
---
- name: reload bind
service:
name: "{{ bind_service }}"
state: reloaded
---
galaxy_info:
author: Bert Van Vreckem
description: Sets up ISC BIND on RHEL/CentOS 6/7, Ubuntu 16.04/18.04 LTS (Xenial/Bionic), or Arch Linux as an authoritative DNS server for one or more domains (master and/or slave).
license: BSD
min_ansible_version: 2.7
platforms:
- name: EL
versions:
- 6
- 7
- name: Ubuntu
versions:
- xenial
- bionic
- name: Debian
versions:
- jessie
- stretch
- name: ArchLinux
versions:
- any
galaxy_tags:
- networking
- system
- dns
dependencies: []
# roles/bind/tasks/main.yml
---
# Initialise distribution-specific variables
- name: Source specific variables
include_vars: "{{ item }}"
with_first_found:
- "{{ ansible_distribution }}.yml"
- "{{ ansible_os_family }}.yml"
tags: bind,pretask
- name: Install BIND
package:
pkg: "{{ item }}"
state: present
with_items:
- "{{ bind_packages }}"
tags: bind
# JY | file to set keys for XFR authentication
- name: create extra config file for authenticated XFR request
tags: pretask
template:
src: auth_transfer.j2
dest: /etc/bind/auth_transfer.conf
mode: 0640
owner: root
group: bind
- name: Check whether `bind_zone_master_server_ip` was set
assert:
that: bind_zone_master_server_ip is defined
- name: Ensure runtime directories referenced in config exist
file:
path: "{{ item }}"
state: directory
owner: root
group: "{{ bind_group }}"
mode: 0770
with_items:
- "{{ bind_dir }}/dynamic"
- "{{ bind_dir }}/data"
- "{{ bind_zone_dir }}"
tags: bind
- name: Create serial, based on UTC UNIX time
command: date -u +%s
register: timestamp
changed_when: false
run_once: true
check_mode: false
tags: bind
- name: Read forward zone hashes
shell: 'grep -s "^; Hash:" {{ bind_zone_dir }}/{{ item.name }} || true'
changed_when: false
check_mode: false
register: forward_hashes_temp
with_items:
- "{{ bind_zone_domains }}"
- name: create dict of forward hashes
set_fact:
forward_hashes: "{{ forward_hashes|default([]) + [ {'hash': item.stdout|default(), 'name': item.item.name} ] }}"
with_items: