dogeystamp/homeserver-iac
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nameserver: split horizon dns for the vpn

Browse Source 
should avoid vpn conflicts with local ip subnet
This commit is contained in:
dogeystamp 2024-12-15 17:11:02 -05:00
parent b4eed7d1a3
commit aba27dfafc
No known key found for this signature in database
3 changed files with 64 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
roles/networking/nameserver/tasks/main.yml
View File

@ -1,19 +1,32 @@
- name: Install nameserver packages # - name: Install nameserver packages
community.general.pacman: # community.general.pacman:
name: bind # name: bind
state: present # state: present
#
- name: Configure nameserver - name: Configure nameserver
template: template:
src: named.conf.j2 src: named.conf.j2
dest: /etc/named.conf dest: /etc/named.conf
validate: /usr/bin/named-checkconf %s
notify: Restart nameserver notify: Restart nameserver
- name: Add nameserver zone - name: Add nameserver zone (LAN)
template: template:
src: local_zone.j2 src: local_zone.j2
dest: "/var/named/{{ dyndns_domain }}" dest: "/var/named/{{ dyndns_domain }}"
notify: Restart nameserver notify: Restart nameserver
vars:
resolve_ip: "{{ local_ip }}"
serial: "42"
- name: Add nameserver zone (VPN)
template:
src: local_zone.j2
dest: "/var/named/{{ dyndns_domain }}.vpn"
notify: Restart nameserver
vars:
resolve_ip: "{{ vpn_ip }}"
serial: "43"
- name: Enable nameserver - name: Enable nameserver
service: service:

8
roles/networking/nameserver/templates/local_zone.j2
View File

@ -1,12 +1,12 @@
$TTL 604800 $TTL 604800
@ IN SOA {{ dyndns_domain }}. {{ email }}. ( @ IN SOA {{ dyndns_domain }}. {{ email }}. (
3 ; Serial {{ serial }} ; Serial
604800 ; Refresh 604800 ; Refresh
86400 ; Retry 86400 ; Retry
2419200 ; Expire 2419200 ; Expire
604800 ) ; Negative Cache TTL 604800 ) ; Negative Cache TTL
; ;
ns IN A {{ local_ip }} ns IN A {{ resolve_ip }}
@ IN NS localhost. @ IN NS localhost.
@ IN A {{ local_ip }} @ IN A {{ resolve_ip }}
{{ dyndns_domain }} IN A {{ local_ip }} {{ dyndns_domain }} IN A {{ resolve_ip }}

62
roles/networking/nameserver/templates/named.conf.j2
View File

@ -1,11 +1,17 @@
// vim:set ts=4 sw=4 et: // vim:set filetype=named ts=4 sw=4 et:
acl locals {
127.0.0.0/8;
};
acl internals { acl internals {
127.0.0.0/8;
{{ local_subnet }}; {{ local_subnet }};
{% if wireguard is defined %} };
acl vpns {
{% if wireguard is defined %}
{{ wireguard.ip.cidr }}; {{ wireguard.ip.cidr }};
{% endif %} {% endif %}
}; };
options { options {
@ -16,30 +22,44 @@ options {
listen-on { any; }; listen-on { any; };
recursion yes; recursion yes;
allow-recursion { any; }; allow-recursion { internals; locals; vpns; };
allow-query { internals; }; allow-query { internals; locals; vpns; };
allow-transfer { none; }; allow-transfer { none; };
dnssec-validation no; dnssec-validation no;
resolver-query-timeout 30000; resolver-query-timeout 30000;
}; };
zone "localhost" IN { view "local-view" {
type master; match-clients { locals; };
file "localhost.zone"; zone "localhost" IN {
type master;
file "localhost.zone";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "127.0.0.zone";
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
type master;
file "localhost.ip6.zone";
};
}; };
zone "0.0.127.in-addr.arpa" IN {
type master; view "internal-view" {
file "127.0.0.zone"; match-clients { internals; };
zone "{{ dyndns_domain }}" {
type master;
file "/var/named/{{ dyndns_domain }}";
};
}; };
zone "{{ dyndns_domain }}" { view "vpn-view" {
type master; match-clients { vpns; };
file "/var/named/{{ dyndns_domain }}"; zone "{{ dyndns_domain }}" {
}; type master;
file "/var/named/{{ dyndns_domain }}.vpn";
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
type master;
file "localhost.ip6.zone";
}; };