Ansible Role bind
This role installs and configures bind as a DNS server, either as a primary or secondary.
Mandatory Role Variables
Variable |
Description |
|---|---|
|
List of networks from which DNS queries are allowed. Results in the |
|
List of dictionaries defining the zone files with the DNS records. Subkeys:
|
Example:
# mandatory
bind__trusted_networks:
- 'any'
bind__zones:
- name: 'example.com'
file: 'forward.zone'
raw: |-
$TTL 1H
@ IN SOA dns-server.example.com. root@example.com. (
2022042501 ; <SERNO>
1H ; <TIME-TO-REFRESH>
1H ; <TIME-TO-RETRY>
1W ; <TIME-TO-EXPIRE>
1D ) ; <minimum-TTL>
@ IN NS dns-server.example.com.
_ldap._tcp IN SRV 10 10 389 dns-server.example.com.
dns-server IN A 192.0.2.2
- name: '2.0.192.in-addr.arpa'
file: 'reverse.zone'
raw: |-
$TTL 1H
@ IN SOA dns-server.example.com. info@example.com. (
2022042501 ; <SERNO>
1H ; <TIME-TO-REFRESH>
1H ; <TIME-TO-RETRY>
1W ; <TIME-TO-EXPIRE>
1D ) ; <minimum-TTL>
@ IN NS dns-server.example.com.
2 IN PTR dns-server.example.com.
Optional Role Variables
Variable |
Description |
Default Value |
|---|---|---|
|
|
|
|
|
|
|
|
|
|
unset |
|
|
String. Directory where Squid should leave coredumps. |
|
|
List of additional access control list rules. |
|
|
List of socket addresses where Squid will listen for HTTP client requests. |
|
|
Multiline string. Raw content which will be appended to the end of |
unset |
|
List of refresh patterns. |
|
|
Boolean. Enables or disables the squid service, analogous to |
|
Example:
# optional
bind__allow_new_zones: true
bind__allow_query_cache:
- 'none'
bind__allow_recursion:
- 'none'
bind__allow_transfer:
- '192.0.2.0/24'
bind__forwarders:
- '1.0.0.1'
- '1.1.1.1'
bind__keys:
- name: 'rndc-key-192.0.2.3'
algorithm: 'hmac-sha256'
secret: 'linuxfabrik'
bind__listen_on_addresses:
- '192.0.2.2/32'
bind__named_conf_raw: |-
include "/etc/rndc.key";
controls {
inet * port 953 allow { localhost; 192.0.2.3; 127.0.0.1; } keys { "rndc-key"; "rndc-key-192.0.2.3"; };
};
bind__named_service_enabled: true
bind__recursion: false
bind__rpz_zone: 'rpz'
bind__zones:
# make use of the bind__rpz_zone
- name: '{{ bind__rpz_zone }}'
file: '{{ bind__rpz_zone }}.zone'
raw: |-
$TTL 1H
@ IN SOA 001-p-infra01.example.com. info@example.com. (
2022101801 ; <SERNO>
1H ; <TIME-TO-REFRESH>
1H ; <TIME-TO-RETRY>
1W ; <TIME-TO-EXPIRE>
1D ) ; <minimum-TTL>
@ IN NS 001-p-infra01.example.com.
internal-website.example.com A 192.0.2.3
bind__listen_ipv6: true
Primary-Secondary Example
With this configuration the primary actively notifies the secondary for any zone changes (i.e. changes to the serial).
The secondary actively checks the serial for changes every 1 hour (TIME-TO-REFRESH).
The secondary caches the zone file locally, and uses the cached version during startup.
Note: BIND 9.11 (RHEL8) does not yet support primary and secondary, use master and slave instead.
Primary:
# either set `bind__allow_transfer` for all zones, or the `allow_transfer` subkey per zone to allow access
bind__allow_transfer:
- '192.0.2.0/24'
bind__zones:
- name: 'example.com'
file: 'forward.zone'
type: 'master'
raw: |-
$TTL 1H
@ IN SOA primary.example.com. root@example.com. (
2024082801 ; <SERNO>
1H ; <TIME-TO-REFRESH>
1H ; <TIME-TO-RETRY>
1W ; <TIME-TO-EXPIRE>
1D ) ; <minimum-TTL>
@ IN NS primary.example.com.
@ IN NS secondary.example.com.
primary IN A 192.0.2.2
secondary IN A 192.0.2.3
- name: '2.0.192.in-addr.arpa'
file: 'reverse.zone'
type: 'master'
# more specific than `bind__allow_transfer`, takes priority
allow_transfer:
- '192.0.2.3/32'
raw: |-
$TTL 1H
@ IN SOA primary.example.com. root@example.com. (
2024082801 ; <SERNO>
1H ; <TIME-TO-REFRESH>
1H ; <TIME-TO-RETRY>
1W ; <TIME-TO-EXPIRE>
1D ) ; <minimum-TTL>
@ IN NS primary.example.com.
@ IN NS secondary.example.com.
2 IN PTR primary.example.com.
3 IN PTR secondary.example.com.
Secondary:
bind__zones:
- name: 'example.com'
file: 'forward.zone'
type: 'master'
masters:
- '192.0.2.2'
- name: '2.0.192.in-addr.arpa'
file: 'reverse.zone'
type: 'slave'
masters:
- '192.0.2.2'