Mercurial > repos > other > Puppet
changeset 290:1182a180085d
Swap from Bind to Named for light-weight DNS
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Sat, 11 Jan 2020 16:54:39 +0000 |
| parents | 670e933bbd63 |
| children | d2ae0b786b49 |
| files | common/named.conf common/named.conf-ibbvps common/sysconfig-named common/sysconfig-named-ibbvps common/unbound.conf manifests/templates.pp |
| diffstat | 5 files changed, 24 insertions(+), 136 deletions(-) [+] |
line wrap: on
line diff
--- a/common/named.conf Mon Dec 30 17:00:10 2019 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,59 +0,0 @@ -// -// named.conf -// -// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS -// server as a caching only nameserver (as a localhost DNS resolver only). -// -// See /usr/share/doc/bind*/sample/ for example named configuration files. -// - -options { - listen-on port 53 { 127.0.0.1; }; -// Disable IPv6 because we don't have a routable address -// listen-on-v6 port 53 { ::1; }; - directory "/var/named"; - dump-file "/var/named/data/cache_dump.db"; - statistics-file "/var/named/data/named_stats.txt"; - memstatistics-file "/var/named/data/named_mem_stats.txt"; - allow-query { localhost; }; - - /* - - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - - If you are building a RECURSIVE (caching) DNS server, you need to enable - recursion. - - If your recursive DNS server has a public IP address, you MUST enable access - control to limit queries to your legitimate users. Failing to do so will - cause your server to become part of large scale DNS amplification - attacks. Implementing BCP38 within your network would greatly - reduce such attack surface - */ - recursion yes; - max-cache-size 10m; - - dnssec-enable yes; - dnssec-validation yes; - - /* Path to ISC DLV key */ - bindkeys-file "/etc/named.iscdlv.key"; - - managed-keys-directory "/var/named/dynamic"; - - pid-file "/run/named/named.pid"; - session-keyfile "/run/named/session.key"; -}; - -logging { - channel default_debug { - file "data/named.run"; - severity dynamic; - }; -}; - -zone "." IN { - type hint; - file "named.ca"; -}; - -include "/etc/named.rfc1912.zones"; -include "/etc/named.root.key"; -
--- a/common/named.conf-ibbvps Mon Dec 30 17:00:10 2019 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,63 +0,0 @@ -// -// named.conf -// -// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS -// server as a caching only nameserver (as a localhost DNS resolver only). -// -// See /usr/share/doc/bind*/sample/ for example named configuration files. -// - -options { - listen-on port 53 { 127.0.0.1; }; - listen-on-v6 port 53 { ::1; }; - directory "/var/named"; - dump-file "/var/named/data/cache_dump.db"; - statistics-file "/var/named/data/named_stats.txt"; - memstatistics-file "/var/named/data/named_mem_stats.txt"; - allow-query { localhost; }; - - /* - - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - - If you are building a RECURSIVE (caching) DNS server, you need to enable - recursion. - - If your recursive DNS server has a public IP address, you MUST enable access - control to limit queries to your legitimate users. Failing to do so will - cause your server to become part of large scale DNS amplification - attacks. Implementing BCP38 within your network would greatly - reduce such attack surface - */ - recursion yes; - max-cache-size 10m; - - forwarders { - 2a00:1098:0:80:1000:3b:0:1; - 2a00:1098:0:82:1000:3b:0:1; - }; - - dnssec-enable yes; - dnssec-validation yes; - - /* Path to ISC DLV key */ - bindkeys-file "/etc/named.iscdlv.key"; - - managed-keys-directory "/var/named/dynamic"; - - pid-file "/run/named/named.pid"; - session-keyfile "/run/named/session.key"; -}; - -logging { - channel default_debug { - file "data/named.run"; - severity dynamic; - }; -}; - -zone "." IN { - type hint; - file "named.ca"; -}; - -include "/etc/named.rfc1912.zones"; -include "/etc/named.root.key"; -
--- a/common/sysconfig-named Mon Dec 30 17:00:10 2019 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,1 +0,0 @@ -OPTIONS="-4"
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/common/unbound.conf Sat Jan 11 16:54:39 2020 +0000 @@ -0,0 +1,7 @@ +# Based on https://www.nlnetlabs.nl/documentation/unbound/howto-setup/ +server: + interface: 127.0.0.1 + interface: ::1 + access-control: 127.0.0.0/24 allow + access-control: ::1 allow + verbosity: 1 \ No newline at end of file
--- a/manifests/templates.pp Mon Dec 30 17:00:10 2019 +0000 +++ b/manifests/templates.pp Sat Jan 11 16:54:39 2020 +0000 @@ -152,25 +152,34 @@ } class dnsresolver { - package { 'bind': + package { 'unbound': ensure => present, } + package { 'named': + ensure => absent, + } service { 'named': + ensure => stopped, + enable => false, + } + service { 'unbound': ensure => running, enable => true, - require => Package['bind'], } file { '/etc/named.conf': + ensure => absent, + } + file { '/etc/unbound/unbound.conf': ensure => present, source => [ - "puppet:///common/named.conf-${::hostname}", - "puppet:///common/named.conf", + "puppet:///common/unbound.conf-${::hostname}", + "puppet:///common/unbound.conf", ], group => 'named', - require => Package['bind'], - notify => Service['named'], + require => Package['unbound'], + notify => Service['unbound'], } file { '/etc/NetworkManager/conf.d/local-dns-resolver.conf': @@ -180,18 +189,13 @@ } file { '/etc/sysconfig/named': - ensure => present, - source => [ - "puppet:///common/sysconfig-named-${::hostname}", - "puppet:///common/sysconfig-named", - ], - require => Package['bind'], + ensure => absent, } file { '/etc/resolv.conf': ensure => present, content => "nameserver 127.0.0.1", - require => Service['named'], + require => Service['unbound'], tag => 'post-service', } }