commit bcf75d72b8aaa888a4e9c0f89a9670a2acf14b6c Author: Nicolas Chauvet <kwizart(a)gmail.com&gt; Date: Wed Nov 9 10:29:14 2016 +0100 Add dns role roles/dns/files/GeoIP.sh | 31 +++ roles/dns/files/logrotate-named | 7 + roles/dns/files/named.ca | 85 ++++++++ roles/dns/files/named.conf | 457 +++++++++++++++++++++++++++++++++++++++ roles/dns/files/rndc.conf | 34 +++ roles/dns/files/update-dns | 22 ++ roles/dns/files/zones.conf | 22 ++ roles/dns/tasks/main.yml | 111 ++++++++++ 8 files changed, 769 insertions(+), 0 deletions(-) --- diff --git a/roles/dns/files/GeoIP.sh b/roles/dns/files/GeoIP.sh new file mode 100755 index 0000000..fb2780e --- /dev/null +++ b/roles/dns/files/GeoIP.sh @@ -0,0 +1,31 @@ +#!/bin/bash + +# This copyrighted material is made available to anyone wishing to use, modify, +# copy, or redistribute it subject to the terms and conditions of the GNU +# General Public License v.2. This program is distributed in the hope that it +# will be useful, but WITHOUT ANY WARRANTY expressed or implied, including the +# implied warranties of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. +# See the GNU General Public License for more details. You should have +# received a copy of the GNU General Public License along with this program; +# if not, write to the Free Software Foundation, Inc., 51 Franklin Street, +# Fifth Floor, Boston, MA 02110-1301, USA. + +rm -f /root/GeoIPCountryCSV.zip + +wget -q -T 5 -t 1 http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip +unzip -q GeoIPCountryCSV.zip || exit 1 + +awk -F \" '{print $10","$6","$8}' GeoIPCountryWhois.csv > cbe.csv +rm -f GeoIPCountryWhois.csv + +(for c in $(awk -F , '{print $1}' cbe.csv | sort -u) +do + echo "acl \"$c\" {" + grep "^$c," cbe.csv | awk -F , 'function s(b,e,l,m,n) {l = int(log(e-b+1)/log(2)); m = 2^32-2^l; n = and(m,e); if (n == and(m,b)) printf "\t%u.%u.%u.%u/%u;\n",b/2^24%256,b/2^16%256,b/2^8%256,b%256,32-l; else {s(b,n-1); s(n,e)}} s($2,$3)' + echo -e "};\n" +done) > /var/named/GeoIP.acl + +rm -f cbe.csv + +exit 0 + diff --git a/roles/dns/files/logrotate-named b/roles/dns/files/logrotate-named new file mode 100644 index 0000000..ccb66d9 --- /dev/null +++ b/roles/dns/files/logrotate-named @@ -0,0 +1,7 @@ +/var/log/named.log { + missingok + create 0644 named named + postrotate + /sbin/service named reload 2> /dev/null > /dev/null || true + endscript +} diff --git a/roles/dns/files/named.ca b/roles/dns/files/named.ca new file mode 100644 index 0000000..37b1a58 --- /dev/null +++ b/roles/dns/files/named.ca @@ -0,0 +1,85 @@ +; This file holds the information on root name servers needed to +; initialize cache of Internet domain name servers +; (e.g. reference this file in the "cache . <file>" +; configuration file of BIND domain name servers). +; +; This file is made available by InterNIC +; under anonymous FTP as +; file /domain/named.cache +; on server FTP.INTERNIC.NET +; -OR- RS.INTERNIC.NET +; +; last update: Feb 04, 2008 +; related version of root zone: 2008020400 +; +; formerly NS.INTERNIC.NET +; +. 3600000 IN NS A.ROOT-SERVERS.NET. +A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 +A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30 +; +; formerly NS1.ISI.EDU +; +. 3600000 NS B.ROOT-SERVERS.NET. +B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201 +; +; formerly C.PSI.NET +; +. 3600000 NS C.ROOT-SERVERS.NET. +C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 +; +; formerly TERP.UMD.EDU +; +. 3600000 NS D.ROOT-SERVERS.NET. +D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90 +; +; formerly NS.NASA.GOV +; +. 3600000 NS E.ROOT-SERVERS.NET. +E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 +; +; formerly NS.ISC.ORG +; +. 3600000 NS F.ROOT-SERVERS.NET. +F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 +F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f +; +; formerly NS.NIC.DDN.MIL +; +. 3600000 NS G.ROOT-SERVERS.NET. +G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 +; +; formerly AOS.ARL.ARMY.MIL +; +. 3600000 NS H.ROOT-SERVERS.NET. +H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53 +H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::803f:235 +; +; formerly NIC.NORDU.NET +; +. 3600000 NS I.ROOT-SERVERS.NET. +I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 +; +; operated by VeriSign, Inc. +; +. 3600000 NS J.ROOT-SERVERS.NET. +J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 +J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:C27::2:30 +; +; operated by RIPE NCC +; +. 3600000 NS K.ROOT-SERVERS.NET. +K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 +K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1 +; +; operated by ICANN +; +. 3600000 NS L.ROOT-SERVERS.NET. +L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42 +; +; operated by WIDE +; +. 3600000 NS M.ROOT-SERVERS.NET. +M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 +M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35 +; End of File diff --git a/roles/dns/files/named.conf b/roles/dns/files/named.conf new file mode 100644 index 0000000..7db4cf0 --- /dev/null +++ b/roles/dns/files/named.conf @@ -0,0 +1,457 @@ +// named.conf file for ns-master.fedoraproject.org +// located in /var/named/chroot/etc/named.conf +// By: Elliot Lee <sopwith(a)redhat.com&gt; +// 2005/12/21 for fedoraproject.org +// Based on the same file for ns-master.gnome.org +// By: Matthew Galgoci <mgalgoci(a)redhat.com&gt; +// 2003/10/13 for gnome.org +// + +// Setup for GeoDNS +include "/var/named/GeoIP.acl"; + +//include rndckey +include "/etc/rndc.key"; + +// dns1.j2solutions.net - run by Jesse Keating <jkeating(a)redhat.com&gt; +acl "slaves" { 209.124.61.35; }; +// +acl "everyone-v4" { 0.0.0.0/0; }; +acl "everyone-v6" { ::0/0; }; +acl "everyone" { 0.0.0.0/0; ::0/0; }; +// +acl "ns_redhat" { 66.187.233.210; 209.132.183.2; 66.187.229.10; }; +// +acl "phx2net" { 10.4.124.128/25; 10.5.78.0/24; 10.5.79.0/24; 10.5.125.0/24; 10.5.126.0/24; 10.5.127.0/24; 10.5.129.0/24; }; +acl "qanet" { 10.5.124.128/25; 10.5.131.0/24; }; +acl "rh-slaves" { 10.5.30.78; 10.11.5.70; }; +acl "rh" { 10.0.0.0/8; }; +// +options { + directory "/"; + auth-nxdomain yes; + allow-query { everyone; }; + dnssec-enable yes; + query-source address * port *; + query-source-v6 address * port *; + allow-transfer { localhost; slaves; rh-slaves; rh;}; + transfer-source * port 53; + pid-file "/var/run/named/named.pid"; + statistics-file "/var/log/named.stats"; + provide-ixfr no; + + version "cowbell++"; + listen-on port 53 { + any; + }; + listen-on-v6 port 53 { + any; + }; + notify yes; + minimal-responses yes; + // rate-limit requests + rate-limit { + responses-per-second 25; + window 5; + }; +}; +// +logging { + channel "normal" { + syslog; + severity info; + print-time yes; + print-category yes; + print-severity yes; + }; + category "default" { "normal"; }; + category "general" { "normal"; }; + category "database" { "null"; }; + category "security" { "normal"; }; + category "config" { "normal"; }; + category "resolver" { "normal"; }; + category "xfer-in" { "normal"; }; + category "xfer-out" { "normal"; }; + category "notify" { "normal"; }; + category "client" { "null"; }; + category "network" { "null"; }; + category "update" { "normal"; }; + category "queries" { "null"; }; + category "dispatch" { "null"; }; + category "dnssec" { "normal"; }; + category "lame-servers" { "null"; }; +}; +// +// Who can rndc our server (only localhost)... +// +controls { + inet 127.0.0.1 port 953 allow { localhost; } keys { rndckey; }; +}; + +view "QA" { + match-clients { qanet; }; + allow-recursion { localhost; qanet; rh-slaves; rh; }; + recursion yes; + // no rate-limit on internal requests + rate-limit { + exempt-clients { qanet; }; + }; + + # make sure we forward only for redhat.com lookups + zone "redhat.com" { + type forward; + forward only; + forwarders { 10.5.26.20; 10.5.26.21; }; + }; + + + zone "beaker-project.org" { + type forward; + forward only; + forwarders { 10.5.26.20; 10.5.26.21; }; + }; + + zone "88.5.10.in-addr.arpa" { + type forward; + forward only; + forwarders { 10.5.26.20; 10.5.26.21; }; + }; + + zone "4.10.in-addr.arpa" { + type forward; + forward only; + forwarders { 10.5.26.20; 10.5.26.21; }; + }; + + zone "5.10.in-addr.arpa" { + type forward; + forward only; + forwarders { 10.5.26.20; 10.5.26.21; }; + }; + + zone "10.in-addr.arpa" { + type forward; + forward only; + forwarders { 10.5.26.20; 10.5.26.21; }; + }; + + zone "186.132.209.in-addr.arpa." { + type forward; + forward only; + forwarders { 10.5.26.20; 10.5.26.21; }; + }; + + zone "qa.fedoraproject.org" { + type master; + file "/var/named/master/built/qa.fedoraproject.org"; + }; + + zone "phx2.fedoraproject.org" { + type master; + file "/var/named/master/built/phx2.fedoraproject.org"; + }; + + zone "mgmt.fedoraproject.org" { + type master; + file "/var/named/master/built/mgmt.fedoraproject.org"; + }; + + zone "arm.fedoraproject.org" { + type master; + file "/var/named/master/built/arm.fedoraproject.org"; + }; + + zone "ppc.fedoraproject.org" { + type master; + file "/var/named/master/built/ppc.fedoraproject.org"; + }; + + zone "s390.fedoraproject.org" { + type master; + file "/var/named/master/built/s390.fedoraproject.org"; + }; + + zone "78.5.10.in-addr.arpa" { + type master; + file "/var/named/master/built/78.5.10.in-addr.arpa"; + }; + + zone "79.5.10.in-addr.arpa" { + type master; + file "/var/named/master/built/79.5.10.in-addr.arpa"; + }; + + zone "124.5.10.in-addr.arpa" { + type master; + file "/var/named/master/built/124.5.10.in-addr.arpa"; + }; + + zone "125.5.10.in-addr.arpa" { + type master; + file "/var/named/master/built/125.5.10.in-addr.arpa"; + }; + + zone "126.5.10.in-addr.arpa" { + type master; + file "/var/named/master/built/126.5.10.in-addr.arpa"; + }; + + zone "127.5.10.in-addr.arpa" { + type master; + file "/var/named/master/built/127.5.10.in-addr.arpa"; + }; + + zone "128.5.10.in-addr.arpa" { + type master; + file "/var/named/master/built/128.5.10.in-addr.arpa"; + }; + + zone "129.5.10.in-addr.arpa" { + type master; + file "/var/named/master/built/129.5.10.in-addr.arpa"; + }; + + zone "130.5.10.in-addr.arpa" { + type master; + file "/var/named/master/built/130.5.10.in-addr.arpa"; + }; + + zone "131.5.10.in-addr.arpa" { + type master; + file "/var/named/master/built/131.5.10.in-addr.arpa"; + }; + + + zone "fedoraproject.org" { + type master; + file "/var/named/master/built/QA/fedoraproject.org.signed"; + }; + zone "cloud.fedoraproject.org" { + type master; + file "/var/named/master/built/QA/cloud.fedoraproject.org.signed"; + }; + zone "getfedora.org" { + type master; + file "/var/named/master/built/QA/getfedora.org.signed"; + }; + + include "/etc/named/zones.conf"; +}; + +view "PHX2" { + match-clients { phx2net; rh-slaves; 192.168.0.0/16; 172.16.0.0/12; }; + allow-recursion { localhost; phx2net; rh-slaves; rh; }; + recursion yes; + // no rate-limit on internal requests + rate-limit { + exempt-clients { phx2net; }; + }; + # make sure we forward only for redhat.com lookups + zone "redhat.com" { + type forward; + forward only; + forwarders { 10.5.26.20; 10.5.26.21; }; + }; + + zone "beaker-project.org" { + type forward; + forward only; + forwarders { 10.5.26.20; 10.5.26.21; }; + }; + + # also, we need to forward some jboss.org for fuse-fabric/bugzilla2fedmsg + zone "jboss.org" { + type forward; + forward only; + forwarders { 10.5.26.20; 10.5.26.21; }; + }; + + zone "88.5.10.in-addr.arpa" { + type forward; + forward only; + forwarders { 10.5.26.20; 10.5.26.21; }; + }; + + zone "4.10.in-addr.arpa" { + type forward; + forward only; + forwarders { 10.5.26.20; 10.5.26.21; }; + }; + + zone "5.10.in-addr.arpa" { + type forward; + forward only; + forwarders { 10.5.26.20; 10.5.26.21; }; + }; + + zone "10.in-addr.arpa" { + type forward; + forward only; + forwarders { 10.5.26.20; 10.5.26.21; }; + }; + + zone "186.132.209.in-addr.arpa." { + type forward; + forward only; + forwarders { 10.5.26.20; 10.5.26.21; }; + }; + + zone "qa.fedoraproject.org" { + type master; + file "/var/named/master/built/qa.fedoraproject.org"; + }; + + zone "phx2.fedoraproject.org" { + type master; + file "/var/named/master/built/phx2.fedoraproject.org"; + }; + + zone "mgmt.fedoraproject.org" { + type master; + file "/var/named/master/built/mgmt.fedoraproject.org"; + }; + + zone "arm.fedoraproject.org" { + type master; + file "/var/named/master/built/arm.fedoraproject.org"; + }; + + zone "ppc.fedoraproject.org" { + type master; + file "/var/named/master/built/ppc.fedoraproject.org"; + }; + + zone "s390.fedoraproject.org" { + type master; + file "/var/named/master/built/s390.fedoraproject.org"; + }; + + zone "78.5.10.in-addr.arpa" { + type master; + file "/var/named/master/built/78.5.10.in-addr.arpa"; + }; + + zone "79.5.10.in-addr.arpa" { + type master; + file "/var/named/master/built/79.5.10.in-addr.arpa"; + }; + + zone "124.5.10.in-addr.arpa" { + type master; + file "/var/named/master/built/124.5.10.in-addr.arpa"; + }; + + zone "125.5.10.in-addr.arpa" { + type master; + file "/var/named/master/built/125.5.10.in-addr.arpa"; + }; + + zone "126.5.10.in-addr.arpa" { + type master; + file "/var/named/master/built/126.5.10.in-addr.arpa"; + }; + + zone "127.5.10.in-addr.arpa" { + type master; + file "/var/named/master/built/127.5.10.in-addr.arpa"; + }; + + zone "128.5.10.in-addr.arpa" { + type master; + file "/var/named/master/built/128.5.10.in-addr.arpa"; + }; + + zone "129.5.10.in-addr.arpa" { + type master; + file "/var/named/master/built/129.5.10.in-addr.arpa"; + }; + + zone "130.5.10.in-addr.arpa" { + type master; + file "/var/named/master/built/130.5.10.in-addr.arpa"; + }; + + zone "131.5.10.in-addr.arpa" { + type master; + file "/var/named/master/built/131.5.10.in-addr.arpa"; + }; + + + zone "fedoraproject.org" { + type master; + file "/var/named/master/built/PHX2/fedoraproject.org.signed"; + }; + zone "cloud.fedoraproject.org" { + type master; + file "/var/named/master/built/PHX2/cloud.fedoraproject.org.signed"; + }; + zone "getfedora.org" { + type master; + file "/var/named/master/built/PHX2/getfedora.org.signed"; + }; + + include "/etc/named/zones.conf"; +}; + +// The zones +view "NA" { + match-clients { US; CA; MX; }; + recursion no; + zone "fedoraproject.org" { + type master; + file "/var/named/master/built/NA/fedoraproject.org.signed"; + }; + zone "cloud.fedoraproject.org" { + type master; + file "/var/named/master/built/NA/cloud.fedoraproject.org.signed"; + }; + zone "getfedora.org" { + type master; + file "/var/named/master/built/NA/getfedora.org.signed"; + }; + include "/etc/named/zones.conf"; +}; + + +// This is not "EU" countries, I just wanted a short way to represent Europe. +view "EU" { + match-clients { AT; BE; BG; CY; CZ; DE; DK; EE; ES; FI; FR; GR; HU; IT; LT; LU; LV; MT; NL; PL; PT; RO; RU; SE; UA; GB; IE; IS; NO; }; + recursion no; + zone "fedoraproject.org" { + type master; + file "/var/named/master/built/EU/fedoraproject.org.signed"; + }; + zone "cloud.fedoraproject.org" { + type master; + file "/var/named/master/built/EU/cloud.fedoraproject.org.signed"; + }; + zone "getfedora.org" { + type master; + file "/var/named/master/built/EU/getfedora.org.signed"; + }; + include "/etc/named/zones.conf"; +}; + + +view "DEFAULT" { + match-clients { any; }; + recursion no; + zone "fedoraproject.org" { + type master; + file "/var/named/master/built/DEFAULT/fedoraproject.org.signed"; + }; + zone "cloud.fedoraproject.org" { + type master; + file "/var/named/master/built/DEFAULT/cloud.fedoraproject.org.signed"; + }; + zone "getfedora.org" { + type master; + file "/var/named/master/built/DEFAULT/getfedora.org.signed"; + }; + include "/etc/named/zones.conf"; +}; + +// Enabling bind9 statistics on localhost for collectd +statistics-channels { + inet 127.0.0.1 port 8053; +}; diff --git a/roles/dns/files/rndc.conf b/roles/dns/files/rndc.conf new file mode 100644 index 0000000..ce30d35 --- /dev/null +++ b/roles/dns/files/rndc.conf @@ -0,0 +1,34 @@ +/* + * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2000, 2001 Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: rndc.conf,v 1.1 2007/03/21 18:40:16 mmcgrath Exp $ */ + +/* + * Sample rndc configuration file. + */ + +options { + default-server localhost; + default-key "rndckey"; +}; + +server localhost { + key "rndckey"; +}; + +include "/etc/rndc.key"; + diff --git a/roles/dns/files/update-dns b/roles/dns/files/update-dns new file mode 100755 index 0000000..1dad573 --- /dev/null +++ b/roles/dns/files/update-dns @@ -0,0 +1,22 @@ +#!/bin/bash +dnsgit='https://git.rpmfusion.org/infrastructure/dns.git' +destdir='/var/named/master/' + +if [ ! -d $destdir ]; +then + git clone $dnsgit $destdir +fi + +cd $destdir +git fetch origin + +if [ "`git diff origin/master`" != "" ]; +then + git pull -X theirs + # change context so the chroot can cope + chown -R named.named $destdir + chcon -u system_u $destdir/* $destdir/*/* + # reload named + /sbin/service named start >>/dev/null 2>&1 + /sbin/service named reload >>/dev/null 2>&1 +fi diff --git a/roles/dns/files/zones.conf b/roles/dns/files/zones.conf new file mode 100644 index 0000000..3c2b36e --- /dev/null +++ b/roles/dns/files/zones.conf @@ -0,0 +1,22 @@ +zone "." { + type hint; + file "/var/named/named.ca"; +}; + + +//zone "fedoraproject.org" { +// type master; +// file "/var/named/master/built/fedoraproject.org.signed"; +//}; + + +zone "168.192.in-addr.arpa" { + type master; + file "/var/named/master/built/168.192.in-addr.arpa.signed"; +}; + + +// +// Unsigned zones below this line. +// + diff --git a/roles/dns/tasks/main.yml b/roles/dns/tasks/main.yml new file mode 100644 index 0000000..5a87ea5 --- /dev/null +++ b/roles/dns/tasks/main.yml @@ -0,0 +1,111 @@ +--- +- name: install packages + yum: name={{ item }} state=present + with_items: + - bind + - unzip + - git + - libsemanage-python + - policycoreutils-python + tags: + - packages + - dns + +- name: copy rndc config + copy: src=rndc.conf dest=/etc/rndc.conf + notify: + - restart named + tags: + - config + - dns + +- name: copy rndc key + copy: src={{ private }}/files/dns/rndc.key dest=/etc/rndc.key + notify: + - restart named + tags: + - config + - dns + +- name: copy named cache + copy: src=named.ca dest=/var/named/named.ca + notify: + - restart named + tags: + - config + - dns + +- name: copy GeoIP.sh + copy: src=GeoIP.sh dest=/var/named/GeoIP.sh mode=0755 + notify: + - restart named + tags: + - config + - dns + +- name: create GeoIP acl + command: /var/named/GeoIP.sh + changed_when: "1 != 1" + notify: + - restart named + tags: + - dns + +- name: copy update-dns + copy: src=update-dns dest=/usr/local/bin/update-dns mode=0755 + notify: + - restart named + tags: + - config + - dns + +- name: copy zones + copy: src=zones.conf dest=/etc/named/zones.conf owner=root group=root mode=0644 + notify: + - restart named + tags: + - config + - dns + +- name: copy named config + copy: src=named.conf dest=/etc/named.conf mode=0644 owner=root group=root + notify: + - restart named + tags: + - config + - dns + +- name: update dns + command: /usr/local/bin/update-dns + changed_when: "1 != 1" + notify: + - restart named + tags: + - config + - dns + +- name: update dns cron + cron: name="update dns" job="/usr/local/bin/update-dns >/dev/null" minute=0,15,30,45 + tags: + - dns + +- name: check semanage ports + command: semanage port -l + register: semanageoutput + check_mode: no + changed_when: "1 != 1" + tags: + - dns + +- name: set ports so bind statistics-channel can bind to 8053 + command: semanage port -a -t dns_port_t -p tcp 8053 + when: semanageoutput.stdout.find("8053") == -1 + notify: + - restart named + tags: + - dns + +- name: named service + service: name=named state=started enabled=yes + tags: + - dns