Ansible named-server role for both public and private DNS
From Notes_Wiki
Home > CentOS > CentOS 6.x > System administration tools > ansible > Ansible roles > Ansible named-server role for both public and private DNS
It may be desired to configure both public and private DNS using ansible. This is tricky because the Resource Records (RR) for public and private DNS may differ greatly. This can be done as follows:
Example private-DNS playbook:
---
- name: Configure ns1.sbarjatiya.com machine
hosts: 10.4.20.151
vars:
zone_names:
- admin.sbarjatiya.com.
forward_zones:
- { zone: "sbarjatiya.com.", forwarders: "10.4.20.204; 10.4.3.222;" }
zone_address: 10.4.20.170
allow_query_from: "10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;"
allow_recursion_from: "10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;"
name_servers:
- ns1.admin.sbarjatiya.com.
- ns2.admin.sbarjatiya.com.
mail_servers:
- " 10 smtp.admin.sbarjatiya.com."
dns_server_list: "{{admin_sbarjatiya_private_servers}}"
roles:
- common
- named-server
Here:
- zone_names contains names of zones served by this DNS (authoritative), forward_zones includes zones which should be forwarded to other DNS servers. Any of these two can be empty list [ ], if authoritative zones or forward zones are not required.
- zone_address is used for A record of the zone.
- allow_query_from and allow_recursion_from control from where queries and esp. recursive queries can come. For a public DNS accessible from internal network queries can be allowed from anywhere "any;" whereas recursion can be allowed only for intranet IP range.
- name_servers are DNS servers for the authoritative zone. Corresponding A RR records must be there in zone variable list.
- mail_servers is used for declaring MX records. other zone level records can also be declared here.
- dns_server_list refers to another variable which contains hostnames to IP mappings. By having this indirect mapping both public and private DNS servers can use same role by differing only in this mapping.
Example public-DNS playbook:
---
- name: Configure public-ns1.sbarjatiya.com machine
hosts: 10.4.20.172
vars:
zone_names:
- admin.sbarjatiya.com.
forward_zones:
- { zone: "sbarjatiya.com.", forwarders: "10.4.2.210; 10.4.8.3;" }
zone_address: 184.73.229.52
allow_query_from: "any; "
allow_recursion_from: "10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;"
name_servers:
- public-ns1.admin.sbarjatiya.com.
- public-ns2.admin.sbarjatiya.com.
mail_servers:
- " 10 smtp.admin.sbarjatiya.com."
dns_server_list: "{{admin_sbarjatiya_public_servers}}"
roles:
- common
- named-server
For purpose of variables refer to explanation of private-DNS playbook listed before this.
Create 'roles/named-server/{handlers,tasks,templates} folders using:
mkdir -p roles/named-server/{handlers,tasks,templates}
Create handlers/main.yaml file as:
--- - name: restart bind service: name=named state=restarted
Create tasks/main.yaml file as:
---
- name: Install bind and bind-utils package
yum: name="{{item}}" state=present
with_items:
- bind
- bind-utils
- name: Create custom named.conf with desired zone
template: src=named.conf dest=/etc/named.conf owner=root group=named mode=640
notify:
- restart bind
- name: Copy zone forward files for all zones to /var/named
template: src="zone.forward" dest="/var/named/{{item}}forward" owner=root group=named mode=640
with_items: zone_names
notify:
- restart bind
- name: Disable IPv6 support
lineinfile: dest=/etc/sysconfig/named line='OPTIONS="-4"' regexp="^OPTIONS"
notify:
- restart bind
- name: Start and enable bind service
service: name=named state=started enabled=yes
Create templates/named.conf file with following contents:
acl allow_recurse { 127.0.0.0/8; {{allow_recursion_from}} };
options {
listen-on port 53 { 127.0.0.1; any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; {{allow_query_from}} };
max-cache-size 10M;
files 10000;
recursive-clients 100;
tcp-clients 20;
tcp-listen-queue 5;
cleaning-interval 60;
interface-interval 60;
rrset-order { order cyclic; };
edns-udp-size 4096;
version none;
hostname none;
server-id none;
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside auto;
allow-recursion { allow_recurse; };
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
channel default {
file "data/default.log" versions 10 size 5M;
severity dynamic;
print-category yes;
print-severity yes;
print-time yes;
};
channel general {
file "data/general.log" versions 10 size 5M;
severity dynamic;
print-category yes;
print-severity yes;
print-time yes;
};
channel security {
file "data/security.log" versions 10 size 5M;
severity dynamic;
print-category yes;
print-severity yes;
print-time yes;
};
channel config {
file "data/config.log" versions 10 size 5M;
severity dynamic;
print-category yes;
print-severity yes;
print-time yes;
};
channel resolver {
file "data/resolver.log" versions 10 size 5M;
severity dynamic;
print-category yes;
print-severity yes;
print-time yes;
};
channel xfer-in {
file "data/xfer-in.log" versions 10 size 5M;
severity dynamic;
print-category yes;
print-severity yes;
print-time yes;
};
channel xfer-out {
file "data/xfer-out.log" versions 10 size 5M;
severity dynamic;
print-category yes;
print-severity yes;
print-time yes;
};
channel client {
file "data/client.log" versions 10 size 5M;
severity dynamic;
print-category yes;
print-severity yes;
print-time yes;
};
channel unmatched {
file "data/unmatched.log" versions 10 size 5M;
severity dynamic;
print-category yes;
print-severity yes;
print-time yes;
};
channel network {
file "data/network.log" versions 10 size 5M;
severity dynamic;
print-category yes;
print-severity yes;
print-time yes;
};
channel queries {
file "data/queries.log" versions 10 size 5M;
severity dynamic;
print-category yes;
print-severity yes;
print-time yes;
};
channel lame-servers {
file "data/lame-servers.log" versions 10 size 5M;
severity dynamic;
print-category yes;
print-severity yes;
print-time yes;
};
category default {default; };
category general {general; };
category security {security; };
category config {config; };
category resolver {resolver; };
category xfer-in {xfer-in; };
category xfer-out {xfer-out; };
category client {client; };
category unmatched {unmatched; };
category network {network; };
category queries {queries; };
category lame-servers {lame-servers; };
};
{% for zone_name1 in zone_names %}
zone "{{zone_name1}}" IN {
type master;
file "{{zone_name1}}forward";
};
{% endfor %}
{% for zone_name2 in forward_zones %}
zone "{{zone_name2.zone}}" IN {
type forward;
forwarders { {{zone_name2.forwarders}} };
};
{% endfor %}
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
Create templates/zone.forward file with following contents:
$TTL 3600
@ SOA ns.{{item}} root.{{item}} (1 15m 5m 30d 1h)
{% for name_server1 in name_servers %}
IN NS {{name_server1}}
{% endfor %}
{% for mail_server1 in mail_servers %}
IN MX {{mail_server1}}
{% endfor %}
IN A {{zone_address}}
{% for server1 in dns_server_list %}
{{server1.hostname}} IN A {{server1.ip}}
{% endfor %}
Now following indirectly referred variables can be created in common_vars, vars in named-server role or as part of vars in the playbook:
#Private DNS related variables
admin_sbarjatiya_private_servers:
- { hostname: ns1, ip: 10.4.20.151 }
- { hostname: ca, ip: 10.4.20.150 }
- { hostname: ns2, ip: 10.4.20.160 }
- { hostname: smtp, ip: 10.4.20.163 }
#Public DNS related variables
admin_sbarjatiya_public_servers:
- { hostname: public-ns1, ip: 184.73.229.52 }
- { hostname: public-ns2, ip: 184.73.229.52 }
- { hostname: ca, ip: 184.73.229.52 }
- { hostname: smtp, ip: 184.73.229.52 }
Home > CentOS > CentOS 6.x > System administration tools > ansible > Ansible roles > Ansible named-server role for both public and private DNS
