dogeystamp/homeserver-iac
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nameserver: split horizon dns for the vpn

Browse Source 
should avoid vpn conflicts with local ip subnet
This commit is contained in:
dogeystamp 2024-12-15 17:11:02 -05:00
parent b4eed7d1a3
commit aba27dfafc
No known key found for this signature in database
3 changed files with 64 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
roles/networking/nameserver/tasks/main.yml
View File

@ -1,19 +1,32 @@
- name: Install nameserver packages
community.general.pacman:
name: bind
state: present
# - name: Install nameserver packages
# community.general.pacman:
# name: bind
# state: present
#
- name: Configure nameserver
template:
src: named.conf.j2
dest: /etc/named.conf
validate: /usr/bin/named-checkconf %s
notify: Restart nameserver
- name: Add nameserver zone
- name: Add nameserver zone (LAN)
template:
src: local_zone.j2
dest: "/var/named/{{ dyndns_domain }}"
notify: Restart nameserver
vars:
resolve_ip: "{{ local_ip }}"
serial: "42"
- name: Add nameserver zone (VPN)
template:
src: local_zone.j2
dest: "/var/named/{{ dyndns_domain }}.vpn"
notify: Restart nameserver
vars:
resolve_ip: "{{ vpn_ip }}"
serial: "43"
- name: Enable nameserver
service:

8
roles/networking/nameserver/templates/local_zone.j2
View File

@ -1,12 +1,12 @@
$TTL 604800
@ IN SOA {{ dyndns_domain }}. {{ email }}. (
3 ; Serial
{{ serial }} ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
ns IN A {{ local_ip }}
ns IN A {{ resolve_ip }}
@ IN NS localhost.
@ IN A {{ local_ip }}
{{ dyndns_domain }} IN A {{ local_ip }}
@ IN A {{ resolve_ip }}
{{ dyndns_domain }} IN A {{ resolve_ip }}

62
roles/networking/nameserver/templates/named.conf.j2
View File

@ -1,11 +1,17 @@
// vim:set ts=4 sw=4 et:
// vim:set filetype=named ts=4 sw=4 et:
acl locals {
127.0.0.0/8;
};
acl internals {
127.0.0.0/8;
{{ local_subnet }};
{% if wireguard is defined %}
};
acl vpns {
{% if wireguard is defined %}
{{ wireguard.ip.cidr }};
{% endif %}
{% endif %}
};
options {
@ -16,30 +22,44 @@ options {
listen-on { any; };
recursion yes;
allow-recursion { any; };
allow-query { internals; };
allow-recursion { internals; locals; vpns; };
allow-query { internals; locals; vpns; };
allow-transfer { none; };
dnssec-validation no;
resolver-query-timeout 30000;
};
zone "localhost" IN {
type master;
file "localhost.zone";
view "local-view" {
match-clients { locals; };
zone "localhost" IN {
type master;
file "localhost.zone";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "127.0.0.zone";
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
type master;
file "localhost.ip6.zone";
};
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "127.0.0.zone";
view "internal-view" {
match-clients { internals; };
zone "{{ dyndns_domain }}" {
type master;
file "/var/named/{{ dyndns_domain }}";
};
};
zone "{{ dyndns_domain }}" {
type master;
file "/var/named/{{ dyndns_domain }}";
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
type master;
file "localhost.ip6.zone";
view "vpn-view" {
match-clients { vpns; };
zone "{{ dyndns_domain }}" {
type master;
file "/var/named/{{ dyndns_domain }}.vpn";
};
};