-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.yml
101 lines (91 loc) · 3.19 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
# Defaults variables for role bind
# Note: the zone files will be distributed from a place somewhere that ansible can reach and defined through the {{ filestore }} variable (path where to find the files)
# Which are the zones for which we are authoritative as master or secondary (both can be empty - Default)
# Note : we'll generate a ddns key and you can have primary zones "dynamic" if you set dynamic: True
# For single master node (no AXFR/IXFR needed if for example same zone is distributed from ansible), you can just ignore notify_list
# Example for primary/secondary/forward zones :
# bind_primary_zones:
# - name: myzone.com
# notify_list: # Also used for the allow-transfer
# - 172.29.33.34
# - 192.168.2.2
# - name: dynamic.com
# notify_list:
# - 172.22.1.1
# dynamic: True
# - name: primary_only.com # no secondary, or distributed directly through configmanagement/ansible and not relying on IXFR/AXFR
#
# bind_secondary_zones:
# - name: otherzone.com
# transfer_from: 172.29.33.12
# bind_forward_zones:
# - name: other.sub.zone.com
# forwarders:
# - 172.27.1.1 # where to forward queries specificall
# - 172.27.1.2
bind_primary_zones: []
bind_secondary_zones: []
bind_forward_zones: []
# Open iptables rules for tcp/udp 53 (public dns)
# For Authoritative servers ! if we use allow_recursion, it will be blocked
bind_public: True
# Do we want to allow internal clients to use us as resolver ?
# Please note that it would firewall port 53 for only those values
bind_allow_recursion: False
bind_recursion_acl_list:
- 192.168.122.0/24
- 127.0.0.1
- ::1
# If used as caching/resolver, do we want forwarders ?
bind_use_forwarders: False
bind_forwarders_list:
- 9.9.9.9
- 8.8.8.8
# Do we want a response-policy-zone (RPZ)
# And which A/AAAA records we want to override
# We can also return NXDOMAIN or deny resolving with CNAME for . or rpz-drop.
# see https://www.ietf.org/archive/id/draft-ietf-dnsop-dns-rpz-00.txt
bind_use_rpz: False
bind_rpz_records:
- mirror.centos.org A 192.168.1.1
- mirrorlist.centos.org A 192.168.1.2
# Do we want to use custom 'views' (https://bind9.readthedocs.io/en/latest/reference.html#view-statement-grammar)
# IF set to True, it will have to come with a list and bind_primary_zones and secondary will be declared here (ignored elsewhere
#
bind_use_views: False
bind_views:
- name: internal
clients:
- 192.168.122.0/24
zones:
- name: domain.com
file: domain.com.internal
type: primary
notify_list:
- 192.168.1.1
- name: domain.org
type: slave
transfer_from: 192.168.1.2
rpz_entries:
- mirror.centos.org A 192.168.122.10
- name: internal2
clients:
- 172.24.5.0/24
zones:
- name: domain.com
file: domain.com.internal2
type: primary
notify_list:
- 192.168.1.1
- name: 5.24.172.in-addr.arpa
file: 5.24.172.in-addr.arpa
type: primary
notify_list:
- 192.168.1.1
rpz_entries:
- mirror.centos.org A 172.24.5.1
# Zabbix/monitoring
bind_zabbix_templates:
- Template CentOS DNS server
bind_zabbix_groups:
- CentOS DNS servers (bind)