Ansible Role: BIND
Installs and configures a BIND9 DNS service on Fedora/Centos/RHEL7/8 and Debian/Ubuntu target as authoritative for one or more domains (master and/or slave) with customized zone and reverse.
Requirements
No special requirements; note that this role requires root access, so either run it in a playbook with a global become: yes, or invoke the role in your playbook like:
- hosts: dns
roles:
- role: lucab85.ansible_role_bind
become: yes
Role Variables
Available variables are listed along with default values in defaults/main.yml file.
Main configuration
All the settins in bind_main_config_settings are applied in the main configuration file /etc/named.conf for Fedora/CentOS/RHEL or /etc/bind/named.conf for Debian/Ubuntu (platform specific).
All the settings in bind_main_options_settings are applied in the main configuration file inside the options { } tag.
Example:
bind_main_options_settings:
- option: listen-on port
value: '53 { 127.0.0.1; 10.0.1.1; };'
- option: allow-query
value: '{ trusted; };'
- option: forwarders
value: '{ 8.8.8.8; 8.8.4.4; };'
- option: listen-on-v6
value: '{ any; };'
- option: dnssec-validation
value: 'auto;'
Please note in these example 10.0.1.1 is the IPv4 of the target machine, adapt as you need.
bind_main_config_settings:
- option: acl "trusted"
value: '{ 10.0.1.1; 10.0.1.2; };'
In these example I defined an acl trusted with two IPv4 addresses that we could use for our policy (see later), adapt as you need.
Example output:
#
# Ansible managed: Do NOT edit this file manually!
#
options {
directory "/var/named";
listen-on port 53 { 127.0.0.1; 10.0.1.1; };
allow-query { trusted; };
forwarders { 8.8.8.8; 8.8.4.4; };
listen-on-v6 { any; };
dnssec-validation auto;
};
acl "trusted" { 10.0.1.1; 10.0.1.2; };
include "/etc/named/named.conf.local";
Zone configuration
The zone settings are defined in bind_zones_entries and applied by zones definition template zone.j2.
The zone settings are defined in the auxiliary configuration file /etc/named/named.conf.local for Fedora/CentOS/RHEL and Debian/Ubuntu (platform specific).
The zone records are stores in /var/named/[[ example.com.zone ]] for Fedora/CentOS/RHEL or /var/lib/bind/[[ example.com.zone ]] for Debian/Ubuntu (platform specific)
Example:
bind_zones_entries:
- name: "example.com"
file: "example.com.zone"
type: "master"
options: "allow-update { none; };"
ttl: 86400
records:
- name: "@"
type: "SOA"
value: "dns1.example.com. hostmaster.example.com. (2001062501 21600 3600 604800 86400)"
- name: "@"
type: "NS"
value: "dns1.example.com."
- name: "@"
type: "NS"
value: "dns2.example.com."
- name: "dns1"
type: "A"
value: "10.0.1.1"
- name: "dns2"
[...]
Example local output: /etc/named/named.conf.local
#
# Ansible managed: Do NOT edit this file manually!
#
zone "example.com" IN {
type master;
file "example.com.zone";
allow-update { none; };
};
zone "1.0.10.in-addr.arpa" IN {
type master;
file "example.com.rr.zone";
allow-update { none; };
};
Example output: /var/named/example.com.zone
$ORIGIN example.com.
$TTL 86400;
@ IN SOA dns1.example.com. hostmaster.example.com. (2001062501 21600 3600 604800 86400)
@ IN NS dns1.example.com.
@ IN NS dns2.example.com.
dns1 IN A 10.0.1.1
dns2 IN A 10.0.1.2
@ IN MX 10 mail1.example.com.
@ IN MX 20 mail2.example.com.
mail1 IN A 10.0.1.5
mail2 IN A 10.0.1.6
services IN A 10.0.1.10
services IN A 10.0.1.11
ftp IN CNAME services.example.com.
wwww IN CNAME services.example.com.
Reverse Zone configuration
In the same way of "zone configuration" you could configure also a reverse zone.
Example:
- name: "1.0.10.in-addr.arpa"
file: "example.com.rr.zone"
type: "master"
options: "allow-update { none; };"
ttl: 86400
records:
- name: "@"
type: "SOA"
value: "dns1.example.com. hostmaster.example.com. (2001062501 21600 3600 604800 86400)"
- name: "@"
type: "NS"
value: "dns1.example.com."
- name: "@"
type: "NS"
value: "dns2.example.com."
- name: "1"
type: "PTR"
value: "dns1.example.com."
[...]
Example output: /var/named/example.com.rr.zone
$ORIGIN 1.0.10.in-addr.arpa.
$TTL 86400;
@ IN SOA dns1.example.com. hostmaster.example.com. (2001062501 21600 3600 604800 86400)
@ IN NS dns1.example.com.
@ IN NS dns2.example.com.
@ IN NS dns1.example.com.
1 IN PTR dns1.example.com.
2 IN PTR dns2.example.com.
5 IN PTR mail1.example.com.
6 IN PTR mail2.example.com.
10 IN PTR services.example.com.
11 IN PTR services.example.com.
Refer to BIND documentation for specific record definition.
Dependencies
None.
Example Playbook
- hosts: dns
become: yes
vars_files:
- vars/main.yml
roles:
- lucab85.ansible_role_bind
Customize variables in vars/main.yml:
bind_zones_entries:
- name: "example.com"
file: "example.com.zone"
type: "master"
options: "allow-update { none; };"
ttl: 86400
records:
- name: "@"
type: "SOA"
value: "dns1.example.com. hostmaster.example.com. (2001062501 21600 3600 604800 86400)"
- name: "@"
type: "NS"
value: "dns1.example.com."
- name: "@"
type: "NS"
value: "dns2.example.com."
- name: "dns1"
type: "A"
value: "10.0.1.1"
- name: "dns2"
[...]
License
MIT / BSD
Author Information
This role was created in 2021 by Luca Berton, author of Ansible Pilot.
Ansible Pilot
More information:
Donate
Thank you for supporting me:
