From e0bb7d6eceabc6825faa5c7d08ff2bef731888eb Mon Sep 17 00:00:00 2001 From: Bombar Maxime Date: Sat, 18 Apr 2020 17:15:20 +0200 Subject: [PATCH] Bind configuration --- network.yml | 1 + roles/bind-authoritative/tasks/main.yml | 8 ++- .../templates/bind/named.conf.j2 | 16 +++++ .../{named.conf.local => named.conf.local.j2} | 0 .../templates/bind/named.conf.options.j2 | 58 +++++++++++++++++++ 5 files changed, 81 insertions(+), 2 deletions(-) create mode 100644 roles/bind-authoritative/templates/bind/named.conf.j2 rename roles/bind-authoritative/templates/bind/{named.conf.local => named.conf.local.j2} (100%) create mode 100644 roles/bind-authoritative/templates/bind/named.conf.options.j2 diff --git a/network.yml b/network.yml index e48257aa..5a28e7d0 100755 --- a/network.yml +++ b/network.yml @@ -42,6 +42,7 @@ bind: master: false master_ip: 10.231.136.118 + dnssec: false zones: - crans.org - crans.eu diff --git a/roles/bind-authoritative/tasks/main.yml b/roles/bind-authoritative/tasks/main.yml index 37199cec..407e533e 100644 --- a/roles/bind-authoritative/tasks/main.yml +++ b/roles/bind-authoritative/tasks/main.yml @@ -9,11 +9,15 @@ - name: Deploy Bind9 configuration template: - src: bind/named.conf.local - dest: /etc/bind/named.conf.local + src: bind/{{ item }}.j2 + dest: /etc/bind/{{ item }} mode: 0644 owner: root group: bind + loop: + - named.conf + - named.conf.local + - named.conf.options - name: Reload Bind9 systemd: diff --git a/roles/bind-authoritative/templates/bind/named.conf.j2 b/roles/bind-authoritative/templates/bind/named.conf.j2 new file mode 100644 index 00000000..fdac65db --- /dev/null +++ b/roles/bind-authoritative/templates/bind/named.conf.j2 @@ -0,0 +1,16 @@ +{{ ansible_header | comment(decoration='// ') }} + +// This is the primary configuration file for the BIND DNS server named. +// +// Please read /usr/share/doc/bind9/README.Debian.gz for information on the +// structure of BIND configuration files in Debian, *BEFORE* you customize +// this configuration file. +// +// If you are just adding zones, please do that in /etc/bind/named.conf.local + +{% if bind.dnssec %} +include "/etc/bind/bind.keys"; +{% endif %} +include "/etc/bind/named.conf.options"; +include "/etc/bind/named.conf.local"; +include "/etc/bind/named.conf.default-zones"; diff --git a/roles/bind-authoritative/templates/bind/named.conf.local b/roles/bind-authoritative/templates/bind/named.conf.local.j2 similarity index 100% rename from roles/bind-authoritative/templates/bind/named.conf.local rename to roles/bind-authoritative/templates/bind/named.conf.local.j2 diff --git a/roles/bind-authoritative/templates/bind/named.conf.options.j2 b/roles/bind-authoritative/templates/bind/named.conf.options.j2 new file mode 100644 index 00000000..7138794d --- /dev/null +++ b/roles/bind-authoritative/templates/bind/named.conf.options.j2 @@ -0,0 +1,58 @@ +{{ ansible_header | comment(decoration='// ') }} + +// Listes d'acces +acl "isolement" { 10.52.0.0/16; }; +acl "accueil" { 10.51.0.0/16; }; +acl "switches" { 10.231.100.0/24; }; +acl "event" { 10.231.137.0/24; 2a0c:700:0:10::/64; }; +acl "fil-new" { 10.54.1.0/24; 10.54.2.0/23; 10.54.4.0/22; 10.54.8.0/21; 10.54.16.0/21; 10.54.24.0/23; 10.54.0.0/24; 2a0c:700:0:21::/64; }; +acl "wifi-new" { 10.53.1.0/24; 10.53.2.0/23; 10.53.4.0/22; 10.53.8.0/21; 10.53.16.0/22; 10.53.20.0/24; 10.53.0.0/24; 10.53.21.0/24; 10.53.22.0/23; 10.53.24.0/23; 2a0c:700:0:22::/64; }; +acl "crans" { 2a0c:700:0:1::/64; 138.231.137.0/24; 138.231.138.0/23; 138.231.140.0/22; 185.230.77.0/24; 2a0c:700:0:21::/64; 2a0c:700:0:23::/64; 185.230.78.0/24; 185.230.76.0/24; 2a0c:700:0:22::/64; 138.231.136.0/24; }; +acl "cransadm" { 2a0c:700:0:2::/64; 10.231.136.0/24; }; +acl "bornes" { fd01:240:fe3d:3::/64; 10.231.148.0/24; }; +options { + directory "/var/cache/bind"; + + // If there is a firewall between you and nameservers you want + // to talk to, you may need to fix the firewall to allow multiple + // ports to talk. See http://www.kb.cert.org/vuls/id/800113 + + // If your ISP provided one or more IP addresses for stable + // nameservers, you probably want to use them as forwarders. + // Uncomment the following block, and insert the addresses replacing + // the all-0's placeholder. + + // forwarders { + // 0.0.0.0; + // }; + + //======================================================================== + // If BIND logs error messages about the root key being expired, + // you will need to update your keys. See https://www.isc.org/bind-keys + //======================================================================== + + + allow-query-cache { 127.0.0.1; crans; cransadm; bornes; }; + allow-recursion { 127.0.0.1; crans; cransadm; bornes; }; + notify no; + allow-transfer { "none"; }; + recursive-clients 5000; + allow-query { any; }; + auth-nxdomain no; # conform to RFC1035 + + listen-on { any; }; + listen-on-v6 { any; }; + + dnssec-enable no; + dnssec-validation no; +}; +logging{ + // Remove "REFUSED unexpected RCODE resolving" from the logfile + category lame-servers { null; }; +}; +// to allow for rndc flush +include "/etc/bind/rndc.key"; + +controls { + inet 127.0.0.1 allow { 127.0.0.1; } keys { "key"; }; +};