Added role misc/dnsmasq as dnssec resolver

4 years ago · e09fb25104
parent fbf20622b0
commit e09fb25104
8 changed files with 80 additions and 0 deletions
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@ -65,6 +65,15 @@ global_apt_sources_directory: "/etc/apt/sources.list.d"
 global_bind_configuration_directory: "/etc/bind"
 global_dns_zones_environment_directory: "{{ global_configuration_environment_directory }}/dns-zones"

+global_dns_upstream_servers:
+  - "9.9.9.11"
+  - "149.112.112.11"
+  - "2620:fe::11"
+  - "2620:fe::fe:11"
+
+global_dnsmasq_configuration_file: "/etc/dnsmasq.conf"
+global_dnsmasq_configuration_directory: "/etc/dnsmasq.d"
+
 global_ip_discover_url: "https://keys.banananet.work/ping"
 global_ip_discover_register_pass: "{{ lookup('password', 'credentials/ip_discover/register_pass chars=digits,ascii_letters length=256') }}"

@ -75,6 +84,8 @@ global_nfs_directory: "{{ global_webservers_directory }}/nfs"

 global_pamd: "/etc/pam.d"

+global_resolv_conf: "/etc/resolv.conf"
+
 global_ssh_configuration_directory: "/etc/ssh/"
 global_ssh_configuration_environment_directory: "{{ global_configuration_environment_directory }}/ssh"
 global_ssh_configuration_link_name: "config"
--- a/group_vars/bwcloud_vserver.yml
+++ b/group_vars/bwcloud_vserver.yml
@ -3,3 +3,8 @@
 bootstrap_user: "debian"

 mysql_query_cache_size: 1G
+
+# Currently disabled because upstream servers do not support forwarding DNSSEC related records
+#global_dns_upstream_servers:
+#  - 129.143.2.1
+#  - 129.143.2.4
--- a/group_vars/contabo_vserver.yml
+++ b/group_vars/contabo_vserver.yml
@ -1 +1,5 @@
 ---
+
+global_dns_upstream_servers:
+  - 213.136.95.10
+  - 213.136.95.11
--- a/roles/misc/dnsmasq/defaults/main.yml
+++ b/roles/misc/dnsmasq/defaults/main.yml
@ -0,0 +1,5 @@
+---
+
+listen_address: "127.0.0.53" # Needs to be an address of the loopback device
+
+cache_size: 10000
--- a/roles/misc/dnsmasq/handlers/main.yml
+++ b/roles/misc/dnsmasq/handlers/main.yml
@ -0,0 +1,7 @@
+---
+
+- name: restart dnsmasq
+  systemd:
+    state: restarted
+    name: dnsmasq.service
+    enabled: yes
--- a/roles/misc/dnsmasq/tasks/main.yml
+++ b/roles/misc/dnsmasq/tasks/main.yml
@ -0,0 +1,28 @@
+---
+
+- name: Install required packages
+  apt:
+    state: present
+    name:
+      - dnsmasq
+
+- name: Configure dnsmasq
+  template:
+    src: dnsmasq.conf
+    dest: "{{ global_dnsmasq_configuration_directory }}/0_main.conf"
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+    validate: "/usr/sbin/dnsmasq --test --conf-file=%s"
+  notify: restart dnsmasq
+
+- meta: flush_handlers
+
+- name: Configure system to use dnsmasq
+  template:
+    src: resolv.conf
+    dest: "{{ global_resolv_conf }}"
+    owner: root
+    group: root
+    mode: u=r,g=r,o=r
+    attributes: +i # immutable, may will let this task failing
--- a/roles/misc/dnsmasq/templates/dnsmasq.conf
+++ b/roles/misc/dnsmasq/templates/dnsmasq.conf
@ -0,0 +1,18 @@
+# Bind only on loopback interface
+bind-interfaces
+interface=lo
+listen-address={{ listen_address }}
+# Supress resolv.conf
+no-resolv
+no-poll
+# Upstream dns servers
+{% for ip in global_dns_upstream_servers %}
+server={{ ip }}
+{% endfor %}
+# Enable caching
+cache-size={{ cache_size }}
+# Require full domains to be forwarded
+domain-needed
+# Verify dnssec values
+dnssec
+dnssec-check-unsigned
--- a/roles/misc/dnsmasq/templates/resolv.conf
+++ b/roles/misc/dnsmasq/templates/resolv.conf
@ -0,0 +1,2 @@
+# resolv.conf generated by Ansible to local dnsmasq
+nameserver {{ listen_address }}