Ansible Role linuxfabrik.lfops.bind¶

This role installs and configures bind as a DNS server, either as a primary or secondary.

Tags¶

bind

Installs and configures bind.
Triggers: named.service restart.

bind:configure

Manages the main named config and the zones.
Triggers: named.service reload.

bind:state

Manages the state of the named systemd service.
Triggers: none.

Mandatory Role Variables¶

bind__trusted_networks

List of networks from which DNS queries are allowed. Results in the trusted ACL in the config.
Type: List of strings.

bind__zones

List of dictionaries defining the zone files with the DNS records.
Type: List of dictionaries.
Subkeys:
- name:
  - Mandatory. The name of the zone. Suffix with in-addr.arpa (IPv4) / ip6.arpa (IPv6) for reverse zones.
  - Type: String.
- file:
  - Optional. The filename for the zone file under /var/named/. Defaults to name with .zone suffix.
  - Type: String.
- type:
  - Optional. type of the zone.
  - Type: String.
  - Default: 'master'
- forwarders:
  - Optional. forwarders of the zone.
  - Type: List of strings.
  - Default: []
- allow_transfer:
  - Optional. allow-transfer of the zone to a secondary.
  - Type: List of strings.
  - Default: []
- masters:
  - Optional. masters of from which to fetch the zone.
  - Type: List of strings.
  - Default: []
- raw:
  - Optional. The raw content of the zone file.
  - Type: Multiline string.

Example:

# mandatory
bind__trusted_networks:
  - 'any'
bind__zones:
  - name: 'example.com'
    file: 'forward.zone'
    raw: |-
      $TTL 1H

      @ IN SOA dns-server.example.com. root@example.com. (
          2022042501 ; <SERNO>
          1H         ; <TIME-TO-REFRESH>
          1H         ; <TIME-TO-RETRY>
          1W         ; <TIME-TO-EXPIRE>
          1D )       ; <minimum-TTL>

      @ IN NS dns-server.example.com.
      _ldap._tcp    IN     SRV     10 10 389 dns-server.example.com.

      dns-server        IN A    192.0.2.2
  - name: '2.0.192.in-addr.arpa'
    file: 'reverse.zone'
    raw: |-
      $TTL 1H

      @ IN SOA dns-server.example.com. info@example.com. (
          2022042501 ; <SERNO>
          1H         ; <TIME-TO-REFRESH>
          1H         ; <TIME-TO-RETRY>
          1W         ; <TIME-TO-EXPIRE>
          1D )       ; <minimum-TTL>

      @ IN NS dns-server.example.com.

      2    IN PTR dns-server.example.com.

Optional Role Variables¶

bind__allow_new_zones

If true, then zones can be added at runtime via rndc addzone.
Type: Bool.
Default: false

bind__allow_query_cache

List of ACLs (use 'trusted' for the bind__trusted_networks) or Address Match Lists which are allowed to query the cache. This effectively controls who can use recursion. When setting bind__recursion: false, it makes sense to set this to 'none' to prevent any answer.
Type: List of strings.
Default: ['trusted']

bind__allow_recursion

List of ACLs (use 'trusted' for the bind__trusted_networks) or Address Match Lists which are allowed to initiate recursive queries. When setting bind__recursion: false, it makes sense to set this to 'none' to prevent any answer.
Type: List of strings.
Default: ['trusted']

bind__allow_transfer

The global allow-transfer option. Can be overwritten per zone.
Type: List of strings.
Default: ['none']

bind__forwarders

List of DNS servers to which DNS queries to unknown domain names should be forwarded.
Type: List of strings.
Default: ['1.0.0.1', '1.1.1.1']

bind__keys

keys for use with TSIG or the command channel (rndc).
Type: List of dictionaries.
Default: []
Subkeys:
- name:
  - Mandatory. Name of the key.
  - Type: String.
- algorithm:
  - Mandatory. algorithm of the key.
  - Type: String.
- secret:
  - Mandatory. The key's secret. Will be base64 encoded by the role.
  - Type: String.

bind__listen_ipv6

Enables or disables listening on IPv6.
Type: Bool.
Default: false

bind__listen_on_addresses

List of addresses on which the server will listen. This indirectly sets the listening interface(s).
Type: List of strings.
Default: ['any']

bind__named_conf_raw

Raw content which will be appended to the end of /etc/named.conf.
Type: Multiline string.
Default: unset

bind__named_service_enabled

Enables or disables the named service, analogous to systemctl enable/disable --now.
Type: Bool.
Default: true

bind__recursion

Defines whether recursion and caching are allowed. Disabling recursion is recommended for authorative name servers.
Type: Bool.
Default: true

bind__rpz_zone

Name of the RPZ zone. Setting this enables the usage of a reverse-policy zone (have a look at https://dnsrpz.info/, basically acts as a /etc/hosts file for all clients). To use this, also create a zone with name: '{{ bind__rpz_zone }}' in bind__zones.
Type: String.
Default: unset

Example:

# optional
bind__allow_new_zones: true
bind__allow_query_cache:
  - 'none'
bind__allow_recursion:
  - 'none'
bind__allow_transfer:
  - '192.0.2.0/24'
bind__forwarders:
  - '1.0.0.1'
  - '1.1.1.1'
bind__keys:
  - name: 'rndc-key-192.0.2.3'
    algorithm: 'hmac-sha256'
    secret: 'linuxfabrik'
bind__listen_ipv6: true
bind__listen_on_addresses:
  - '192.0.2.2/32'
bind__named_conf_raw: |-
  include "/etc/rndc.key";
  controls {
      inet * port 953 allow { localhost; 192.0.2.3; 127.0.0.1; } keys { "rndc-key"; "rndc-key-192.0.2.3"; };
  };
bind__named_service_enabled: true
bind__recursion: false
bind__rpz_zone: 'rpz'
bind__zones:
  # make use of the bind__rpz_zone
  - name: '{{ bind__rpz_zone }}'
    file: '{{ bind__rpz_zone }}.zone'
    raw: |-
      $TTL 1H

      @ IN SOA 001-p-infra01.example.com. info@example.com. (
          2022101801 ; <SERNO>
          1H         ; <TIME-TO-REFRESH>
          1H         ; <TIME-TO-RETRY>
          1W         ; <TIME-TO-EXPIRE>
          1D )       ; <minimum-TTL>

      @ IN NS 001-p-infra01.example.com.

      internal-website.example.com     A     192.0.2.3

Primary-Secondary Example¶

With this configuration the primary actively notifies the secondary for any zone changes (i.e. changes to the serial). The secondary actively checks the serial for changes every 1 hour (TIME-TO-REFRESH). The secondary caches the zone file locally, and uses the cached version during startup.

Note: BIND 9.11 (RHEL8) does not yet support primary and secondary, use master and slave instead.

Primary:

# either set `bind__allow_transfer` for all zones, or the `allow_transfer` subkey per zone to allow access
bind__allow_transfer:
  - '192.0.2.0/24'
bind__zones:
  - name: 'example.com'
    file: 'forward.zone'
    type: 'master'
    raw: |-
      $TTL 1H

      @ IN SOA primary.example.com. root@example.com. (
          2024082801 ; <SERNO>
          1H         ; <TIME-TO-REFRESH>
          1H         ; <TIME-TO-RETRY>
          1W         ; <TIME-TO-EXPIRE>
          1D )       ; <minimum-TTL>

      @ IN NS primary.example.com.
      @ IN NS secondary.example.com.

      primary        IN A    192.0.2.2
      secondary      IN A    192.0.2.3

  - name: '2.0.192.in-addr.arpa'
    file: 'reverse.zone'
    type: 'master'
    # more specific than `bind__allow_transfer`, takes priority
    allow_transfer:
      - '192.0.2.3/32'
    raw: |-
      $TTL 1H

      @ IN SOA primary.example.com. root@example.com. (
          2024082801 ; <SERNO>
          1H         ; <TIME-TO-REFRESH>
          1H         ; <TIME-TO-RETRY>
          1W         ; <TIME-TO-EXPIRE>
          1D )       ; <minimum-TTL>

      @ IN NS primary.example.com.
      @ IN NS secondary.example.com.

      2   IN PTR primary.example.com.
      3   IN PTR secondary.example.com.

Secondary:

bind__zones:
  - name: 'example.com'
    file: 'forward.zone'
    type: 'master'
    masters:
      - '192.0.2.2'

  - name: '2.0.192.in-addr.arpa'
    file: 'reverse.zone'
    type: 'slave'
    masters:
      - '192.0.2.2'

License¶

The Unlicense

Author Information¶

Linuxfabrik GmbH, Zurich