Add internal zone and only verify local records, add unbound
This commit is contained in:
parent
96d54ab33d
commit
1455564f0f
|
@ -27,12 +27,16 @@ redxen.eu/gameservers/minecraft/minecraft-rx/${BUILD_ID_OUT}: %/${BUILD_ID_OUT}
|
||||||
redxen.eu/gameservers/minecraft/spigot/${BUILD_ID_OUT}
|
redxen.eu/gameservers/minecraft/spigot/${BUILD_ID_OUT}
|
||||||
|
|
||||||
# DNS
|
# DNS
|
||||||
|
redxen.eu/daemons/unbound/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
|
||||||
|
%/unbound.conf \
|
||||||
|
redxen.eu/data/dns/${BUILD_ID_OUT}
|
||||||
redxen.eu/daemons/nsd/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
|
redxen.eu/daemons/nsd/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
|
||||||
%/nsd.conf \
|
%/nsd.conf \
|
||||||
redxen.eu/data/dns/${BUILD_ID_OUT}
|
redxen.eu/data/dns/${BUILD_ID_OUT}
|
||||||
|
|
||||||
redxen.eu/data/dns/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
|
redxen.eu/data/dns/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
|
||||||
%/redxen.eu \
|
%/redxen.eu \
|
||||||
|
%/internal \
|
||||||
redxen.eu/data/dnssec/${BUILD_ID_OUT} \
|
redxen.eu/data/dnssec/${BUILD_ID_OUT} \
|
||||||
redxen.eu/data/opendkim/${BUILD_ID_OUT}
|
redxen.eu/data/opendkim/${BUILD_ID_OUT}
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,17 @@
|
||||||
|
FROM alpine:latest
|
||||||
|
|
||||||
|
RUN --network=host apk add \
|
||||||
|
ca-certificates-bundle \
|
||||||
|
dns-root-hints \
|
||||||
|
dnssec-root \
|
||||||
|
unbound
|
||||||
|
|
||||||
|
WORKDIR /etc/redxen/unbound/
|
||||||
|
|
||||||
|
ADD unbound.conf unbound.conf
|
||||||
|
COPY --from=redxen.eu/data/dns:latest /dns-zones/redxen.eu /etc/redxen/bindzone/redxen.eu
|
||||||
|
COPY --from=redxen.eu/data/dns:latest /dns-zones/internal /etc/redxen/bindzone/internal
|
||||||
|
|
||||||
|
RUN unbound-checkconf unbound.conf
|
||||||
|
|
||||||
|
CMD ["unbound", "-d", "-p", "-c", "unbound.conf"]
|
|
@ -0,0 +1,53 @@
|
||||||
|
server:
|
||||||
|
root-hints: /usr/share/dns-root-hints/named.root
|
||||||
|
trust-anchor-file: /usr/share/dnssec-root/trusted-key.key
|
||||||
|
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
|
||||||
|
|
||||||
|
logfile: ""
|
||||||
|
log-replies: yes
|
||||||
|
|
||||||
|
interface: 0.0.0.0
|
||||||
|
interface: ::0
|
||||||
|
port: 53
|
||||||
|
|
||||||
|
minimal-responses: no
|
||||||
|
extended-statistics: yes
|
||||||
|
rrset-roundrobin: yes
|
||||||
|
cache-min-ttl: 60
|
||||||
|
prefetch: yes
|
||||||
|
prefetch-key: yes
|
||||||
|
harden-glue: yes
|
||||||
|
aggressive-nsec: yes
|
||||||
|
serve-expired: yes
|
||||||
|
serve-expired-ttl: 86400
|
||||||
|
serve-expired-ttl-reset: yes
|
||||||
|
|
||||||
|
access-control: 0.0.0.0/0 refuse_non_local
|
||||||
|
access-control: ::/0 refuse_non_local
|
||||||
|
|
||||||
|
access-control: 127.0.0.0/8 allow
|
||||||
|
access-control: ::1/128 allow
|
||||||
|
|
||||||
|
access-control: 172.22.12.1/24 allow
|
||||||
|
access-control: fd42:42:42::2:1/120 allow
|
||||||
|
|
||||||
|
access-control: 172.24.0.1/24 allow
|
||||||
|
|
||||||
|
remote-control:
|
||||||
|
control-enable: yes
|
||||||
|
control-use-cert: no
|
||||||
|
control-interface: ::1
|
||||||
|
|
||||||
|
auth-zone:
|
||||||
|
name: redxen.eu
|
||||||
|
fallback-enabled: no
|
||||||
|
for-downstream: yes
|
||||||
|
for-upstream: yes
|
||||||
|
zonefile: "/etc/redxen/bindzone/redxen.eu"
|
||||||
|
|
||||||
|
auth-zone:
|
||||||
|
name: internal
|
||||||
|
fallback-enabled: no
|
||||||
|
for-downstream: yes
|
||||||
|
for-upstream: yes
|
||||||
|
zonefile: "/etc/redxen/bindzone/internal"
|
|
@ -6,7 +6,13 @@ RUN --network=host apk add \
|
||||||
|
|
||||||
RUN mkdir -p /tmp/zones
|
RUN mkdir -p /tmp/zones
|
||||||
ADD redxen.eu /tmp/zones/redxen.eu
|
ADD redxen.eu /tmp/zones/redxen.eu
|
||||||
RUN sed -i 's/CURRENTSOA/'"$(date +'%Y%m%d'01)"'/' /tmp/zones/redxen.eu
|
ADD internal /tmp/zones/internal
|
||||||
|
RUN for x in redxen.eu internal; do sed -i 's/CURRENTSOA/'"$(date +'%Y%m%d'01)"'/' /tmp/zones/"$x"; done
|
||||||
|
|
||||||
|
# Verify zone after signing
|
||||||
|
RUN named-checkzone -i local internal /tmp/zones/internal
|
||||||
|
|
||||||
|
# DNSSEC zones need more processing
|
||||||
|
|
||||||
# Add keys to zone
|
# Add keys to zone
|
||||||
RUN \
|
RUN \
|
||||||
|
@ -29,7 +35,7 @@ RUN \
|
||||||
/tmp/zones/redxen.eu
|
/tmp/zones/redxen.eu
|
||||||
|
|
||||||
# Verify zone after signing
|
# Verify zone after signing
|
||||||
RUN named-checkzone redxen.eu /tmp/zones/redxen.eu
|
RUN named-checkzone -i local redxen.eu /tmp/zones/redxen.eu
|
||||||
|
|
||||||
# Copy back only signed zone
|
# Copy back only signed zone
|
||||||
FROM scratch
|
FROM scratch
|
||||||
|
|
|
@ -0,0 +1,81 @@
|
||||||
|
;
|
||||||
|
; .internal zonefile for internal RedXen usage
|
||||||
|
;
|
||||||
|
|
||||||
|
$TTL 120
|
||||||
|
|
||||||
|
@ 86400 IN SOA 12180625.nbg1-dc3.hetzner admin.redxen.eu. CURRENTSOA ( 86400
|
||||||
|
7200
|
||||||
|
3600000
|
||||||
|
3600 )
|
||||||
|
|
||||||
|
; NS records
|
||||||
|
@ 86400 NS @
|
||||||
|
|
||||||
|
@ 86400 A 127.0.0.1
|
||||||
|
86400 AAAA ::1
|
||||||
|
|
||||||
|
; Machines
|
||||||
|
12180623.nbg1-dc3.hetzner 86400 A 10.10.0.2
|
||||||
|
12180621.nbg1-dc3.hetzner 86400 A 10.10.0.3
|
||||||
|
12180625.nbg1-dc3.hetzner 86400 A 10.10.0.4
|
||||||
|
12180710.fsn1-dc14.hetzner 86400 A 10.10.0.5
|
||||||
|
12180711.fsn1-dc14.hetzner 86400 A 10.10.0.6
|
||||||
|
|
||||||
|
; Services
|
||||||
|
node_exporters.prometheus.routinginfo SRV 0 5 7580 12180623.nbg1-dc3.hetzner
|
||||||
|
SRV 0 5 7580 12180621.nbg1-dc3.hetzner
|
||||||
|
SRV 0 5 7580 12180625.nbg1-dc3.hetzner
|
||||||
|
SRV 0 5 7580 12180710.fsn1-dc14.hetzner
|
||||||
|
SRV 0 5 7580 12180711.fsn1-dc14.hetzner
|
||||||
|
SRV 0 5 9100 a89b55b4-e8ba-448a-873c-47278bbc7db1.vultr.redxen.eu.
|
||||||
|
SRV 0 5 9100 izmaylovo.russia.redxen.eu.
|
||||||
|
SRV 0 5 9100 lakewood.united-states.redxen.eu.
|
||||||
|
SRV 0 5 9100 tarui.japan.redxen.eu.
|
||||||
|
SRV 0 5 9100 thetford-mines.canada.redxen.eu.
|
||||||
|
SRV 0 5 9100 magong.taiwan.redxen.eu.
|
||||||
|
SRV 0 5 9100 dongguan.china.redxen.eu.
|
||||||
|
SRV 0 5 9100 san-jorge.argentina.redxen.eu.
|
||||||
|
bird_exporters.prometheus.routinginfo SRV 0 5 9324 a89b55b4-e8ba-448a-873c-47278bbc7db1.vultr.redxen.eu.
|
||||||
|
smartctl_exporters.prometheus.routinginfo SRV 0 5 9633 izmaylovo.russia.redxen.eu.
|
||||||
|
SRV 0 5 9633 tarui.japan.redxen.eu.
|
||||||
|
libvirt.prometheus.routinginfo SRV 0 5 9177 tarui.japan.redxen.eu.
|
||||||
|
SRV 0 5 9177 izmaylovo.russia.redxen.eu.
|
||||||
|
ipmi.prometheus.routinginfo SRV 0 5 9290 tarui.japan.redxen.eu.
|
||||||
|
SRV 0 5 9290 izmaylovo.russia.redxen.eu.
|
||||||
|
unbound.prometheus.routinginfo SRV 0 5 7583 12180623.nbg1-dc3.hetzner
|
||||||
|
SRV 0 5 7583 12180621.nbg1-dc3.hetzner
|
||||||
|
SRV 0 5 7583 12180625.nbg1-dc3.hetzner
|
||||||
|
SRV 0 5 7583 12180710.fsn1-dc14.hetzner
|
||||||
|
SRV 0 5 7583 12180711.fsn1-dc14.hetzner
|
||||||
|
frontends.prometheus.routinginfo SRV 0 5 7581 12180621.nbg1-dc3.hetzner
|
||||||
|
SRV 0 5 7581 12180711.fsn1-dc14.hetzner
|
||||||
|
postgresql.prometheus.routinginfo SRV 0 5 7582 12180625.nbg1-dc3.hetzner
|
||||||
|
ceph.prometheus.routinginfo SRV 0 5 9283 tarui.japan.redxen.eu.
|
||||||
|
SRV 0 5 9283 izmaylovo.russia.redxen.eu.
|
||||||
|
telegraf.prometheus.routinginfo SRV 0 5 7584 12180623.nbg1-dc3.hetzner
|
||||||
|
SRV 0 5 7584 12180621.nbg1-dc3.hetzner
|
||||||
|
SRV 0 5 7584 12180625.nbg1-dc3.hetzner
|
||||||
|
SRV 0 5 7584 12180710.fsn1-dc14.hetzner
|
||||||
|
SRV 0 5 7584 12180711.fsn1-dc14.hetzner
|
||||||
|
_grafana._tcp.routinginfo SRV 0 5 7577 12180621.nbg1-dc3.hetzner
|
||||||
|
SRV 0 5 7577 12180710.fsn1-dc14.hetzner
|
||||||
|
_gitea._tcp.routinginfo SRV 0 5 7570 12180711.fsn1-dc14.hetzner
|
||||||
|
_gitssh._tcp.routinginfo SRV 0 5 7571 12180711.fsn1-dc14.hetzner
|
||||||
|
_transmission._tcp.routinginfo SRV 0 5 7572 12180710.fsn1-dc14.hetzner
|
||||||
|
_root._tcp.routinginfo SRV 0 5 7575 12180710.fsn1-dc14.hetzner
|
||||||
|
_packages._tcp.routinginfo SRV 0 5 7574 12180710.fsn1-dc14.hetzner
|
||||||
|
_seedown._tcp.routinginfo SRV 0 5 7576 12180710.fsn1-dc14.hetzner
|
||||||
|
_radicale._tcp.routinginfo SRV 0 5 7578 12180710.fsn1-dc14.hetzner
|
||||||
|
_wssproxy._tcp.routinginfo SRV 0 5 7591 12180621.nbg1-dc3.hetzner
|
||||||
|
|
||||||
|
postgresql.routinginfo CNAME 12180625.nbg1-dc3.hetzner
|
||||||
|
redis.routinginfo CNAME 12180625.nbg1-dc3.hetzner
|
||||||
|
loki.routinginfo CNAME 12180625.nbg1-dc3.hetzner
|
||||||
|
prometheus.routinginfo CNAME 12180625.nbg1-dc3.hetzner
|
||||||
|
influxdb.routinginfo CNAME 12180625.nbg1-dc3.hetzner
|
||||||
|
rspamd.routinginfo CNAME 12180623.nbg1-dc3.hetzner
|
||||||
|
opendkim.routinginfo CNAME 12180623.nbg1-dc3.hetzner
|
||||||
|
dovecot.routinginfo CNAME 12180623.nbg1-dc3.hetzner
|
||||||
|
postfix.routinginfo CNAME 12180623.nbg1-dc3.hetzner
|
||||||
|
murmur.routinginfo CNAME 12180623.nbg1-dc3.hetzner
|
Loading…
Reference in New Issue