From aba27dfafcb3a27acacbf759e9d7b9e03c29edc5 Mon Sep 17 00:00:00 2001 From: dogeystamp Date: Sun, 15 Dec 2024 17:11:02 -0500 Subject: [PATCH] nameserver: split horizon dns for the vpn should avoid vpn conflicts with local ip subnet --- roles/networking/nameserver/tasks/main.yml | 25 ++++++-- .../nameserver/templates/local_zone.j2 | 8 +-- .../nameserver/templates/named.conf.j2 | 62 ++++++++++++------- 3 files changed, 64 insertions(+), 31 deletions(-) diff --git a/roles/networking/nameserver/tasks/main.yml b/roles/networking/nameserver/tasks/main.yml index b81da3b..7907700 100644 --- a/roles/networking/nameserver/tasks/main.yml +++ b/roles/networking/nameserver/tasks/main.yml @@ -1,19 +1,32 @@ -- name: Install nameserver packages - community.general.pacman: - name: bind - state: present - +# - name: Install nameserver packages +# community.general.pacman: +# name: bind +# state: present +# - name: Configure nameserver template: src: named.conf.j2 dest: /etc/named.conf + validate: /usr/bin/named-checkconf %s notify: Restart nameserver -- name: Add nameserver zone +- name: Add nameserver zone (LAN) template: src: local_zone.j2 dest: "/var/named/{{ dyndns_domain }}" notify: Restart nameserver + vars: + resolve_ip: "{{ local_ip }}" + serial: "42" + +- name: Add nameserver zone (VPN) + template: + src: local_zone.j2 + dest: "/var/named/{{ dyndns_domain }}.vpn" + notify: Restart nameserver + vars: + resolve_ip: "{{ vpn_ip }}" + serial: "43" - name: Enable nameserver service: diff --git a/roles/networking/nameserver/templates/local_zone.j2 b/roles/networking/nameserver/templates/local_zone.j2 index c3ed6fb..662752b 100644 --- a/roles/networking/nameserver/templates/local_zone.j2 +++ b/roles/networking/nameserver/templates/local_zone.j2 @@ -1,12 +1,12 @@ $TTL 604800 @ IN SOA {{ dyndns_domain }}. {{ email }}. ( - 3 ; Serial + {{ serial }} ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; -ns IN A {{ local_ip }} +ns IN A {{ resolve_ip }} @ IN NS localhost. -@ IN A {{ local_ip }} -{{ dyndns_domain }} IN A {{ local_ip }} +@ IN A {{ resolve_ip }} +{{ dyndns_domain }} IN A {{ resolve_ip }} diff --git a/roles/networking/nameserver/templates/named.conf.j2 b/roles/networking/nameserver/templates/named.conf.j2 index b824ba4..1c3b0a8 100644 --- a/roles/networking/nameserver/templates/named.conf.j2 +++ b/roles/networking/nameserver/templates/named.conf.j2 @@ -1,11 +1,17 @@ -// vim:set ts=4 sw=4 et: +// vim:set filetype=named ts=4 sw=4 et: + +acl locals { + 127.0.0.0/8; +}; acl internals { - 127.0.0.0/8; {{ local_subnet }}; - {% if wireguard is defined %} +}; + +acl vpns { +{% if wireguard is defined %} {{ wireguard.ip.cidr }}; - {% endif %} +{% endif %} }; options { @@ -16,30 +22,44 @@ options { listen-on { any; }; recursion yes; - allow-recursion { any; }; - allow-query { internals; }; + allow-recursion { internals; locals; vpns; }; + allow-query { internals; locals; vpns; }; allow-transfer { none; }; dnssec-validation no; resolver-query-timeout 30000; }; -zone "localhost" IN { - type master; - file "localhost.zone"; +view "local-view" { + match-clients { locals; }; + zone "localhost" IN { + type master; + file "localhost.zone"; + }; + + zone "0.0.127.in-addr.arpa" IN { + type master; + file "127.0.0.zone"; + }; + + zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" { + type master; + file "localhost.ip6.zone"; + }; }; -zone "0.0.127.in-addr.arpa" IN { - type master; - file "127.0.0.zone"; + +view "internal-view" { + match-clients { internals; }; + zone "{{ dyndns_domain }}" { + type master; + file "/var/named/{{ dyndns_domain }}"; + }; }; -zone "{{ dyndns_domain }}" { - type master; - file "/var/named/{{ dyndns_domain }}"; - }; - - -zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" { - type master; - file "localhost.ip6.zone"; +view "vpn-view" { + match-clients { vpns; }; + zone "{{ dyndns_domain }}" { + type master; + file "/var/named/{{ dyndns_domain }}.vpn"; + }; };