|
|
5aab14 |
# CentOS DNS authoritative and resolvers setup
|
|
|
5aab14 |
|
|
|
5aab14 |
## Public DNS setup
|
|
|
5aab14 |
|
|
|
5aab14 |
### Bind authoritative servers
|
|
|
5aab14 |
|
|
|
e5d196 |
We use [Bind](https://www.isc.org/bind/) as main DNS authoritative solution.
|
|
|
e5d196 |
For the `public` zones, we simply use the traditional primary/secondary setup, where primary zone is updated and then secondary servers are notified and so issue a IXFR/AXFR transfer to get latest zone content (and have same SOA)
|
|
|
e5d196 |
|
|
|
e5d196 |
The way we configure DNS zones is easy :
|
|
|
e5d196 |
|
|
|
e5d196 |
* update static zone (if needed, see below) in the `filestore/bind` directory , managed as a git repository, based on the environment)
|
|
|
e5d196 |
* play the [bind](https://github.com/centos/ansible-role-bind) ansible role either on trigger or just wait for automatic role to be applied (see the Ansible section for the setup)
|
|
|
e5d196 |
|
|
|
e5d196 |
We have also some delegated zones that are either still served by bind, or PowerDNS (see below)
|
|
|
e5d196 |
|
|
|
5aab14 |
#### Static zones
|
|
|
5aab14 |
|
|
|
e5d196 |
As described above, to add/delete/modify a DNS record in the static zone, one has just to :
|
|
|
e5d196 |
|
|
|
e5d196 |
* update SOA in `zone` file
|
|
|
e5d196 |
* update/add/delete record
|
|
|
e5d196 |
* commit/push to git (in the `filestore` git repository, depending on the inventory)
|
|
|
e5d196 |
* trigger ansible
|
|
|
e5d196 |
|
|
|
e5d196 |
List of zones served through static files (public zones):
|
|
|
e5d196 |
|
|
|
e5d196 |
* centos.org
|
|
|
e5d196 |
* ocp.centos.org
|
|
|
e5d196 |
* ocp.ci.centos.org
|
|
|
e5d196 |
* ocp.stg.ci.centos.org
|
|
|
e5d196 |
* centosproject.org
|
|
|
e5d196 |
|
|
|
e5d196 |
##### Specific records
|
|
|
e5d196 |
|
|
|
e5d196 |
`CAA` records: used to publicly announce which valid CA can sign our certificates for our zones :
|
|
|
e5d196 |
|
|
|
e5d196 |
```bash
|
|
|
e5d196 |
dig @ns1.centos.org -t CAA centos.org +short
|
|
|
e5d196 |
0 issue "amazon.com"
|
|
|
e5d196 |
0 issuewild "letsencrypt.org"
|
|
|
e5d196 |
0 issue "letsencrypt.org"
|
|
|
e5d196 |
0 issuewild "digicert.com"
|
|
|
e5d196 |
0 issue "digicert.com"
|
|
|
e5d196 |
|
|
|
e5d196 |
```
|
|
|
e5d196 |
|
|
|
e5d196 |
`TXT / SPF` records: used for [Sender Policy Framework](https://en.wikipedia.org/wiki/Sender_Policy_Framework) and restrict from which IP block/host one can send mail originating from @centos.org domain
|
|
|
e5d196 |
|
|
|
e5d196 |
`TXT` for kerberos : we have a pointer to announce that one can use FEDORAPROJECT for kerberos ticket
|
|
|
e5d196 |
|
|
|
e5d196 |
```
|
|
|
e5d196 |
dig @ns1.centos.org -t TXT _kerberos.centos.org +short
|
|
|
e5d196 |
"FEDORAPROJECT.ORG"
|
|
|
e5d196 |
```
|
|
|
e5d196 |
|
|
|
e5d196 |
`CNAME` : simple aliases for other A/AAAA records
|
|
|
e5d196 |
|
|
|
e5d196 |
`CNAME` for TLS/ACME dns challenge : we use some `static` CNAME pointing to equivalent record in `dynamic` zone (see below)
|
|
|
e5d196 |
|
|
|
e5d196 |
`NS` records : for the zones that we delegate to other authoritative servers, like for example (but not limited to) `mirror.centos.org` , served by PowerDNS/GeoIP (see also below)
|
|
|
e5d196 |
|
|
|
5aab14 |
#### Dynamic zones
|
|
|
5aab14 |
|
|
|
e5d196 |
We also have a specific `acme.centos.org` zone, that is only use for one specific purpose : creating on the fly TXT records that will be used by LetsEncrypt/ACME for DNS challenge.
|
|
|
e5d196 |
For this we use [acme.sh](https://github.com/Neilpang/acme.sh) tool that will do that automatically for us : it will use nsupdate with specific allowed key to create dynamically the needed record that ACME server will verify to validate and then sign the CSR.
|
|
|
e5d196 |
|
|
|
6d98f4 |
See [TLS section](../security/tls.md#how-to-obtain-new-cert-dns-challenge-is-the-preferred-way) on how to use it.
|
|
|
e5d196 |
|
|
|
e5d196 |
Some pointers:
|
|
|
e5d196 |
|
|
|
e5d196 |
* [https://github.com/acmesh-official/acme.sh/wiki/dnsapi#7-use-nsupdate-to-automatically-issue-cert](https://github.com/acmesh-official/acme.sh/wiki/dnsapi#7-use-nsupdate-to-automatically-issue-cert)
|
|
|
e5d196 |
* [https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode](https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode)
|
|
|
e5d196 |
|
|
|
e5d196 |
|
|
|
5aab14 |
### PowerDNS servers (GeoIP)
|
|
|
5aab14 |
|
|
|
e5d196 |
For some specific records, like `mirror.centos.org`, or `vault.centos.org` (and others) , we wanted to use something else than simple Round-Robin logic into Bind zone file.
|
|
|
e5d196 |
The idea was to optimize where to redirect based on GeoIP/country information, and so use nearest server for that role.
|
|
|
e5d196 |
|
|
|
e5d196 |
[PowerDNS](https://www.powerdns.com) is a really good authoritative solution that also permits you to inject your own [Pipe backend](https://doc.powerdns.com/md/authoritative/backend-pipe/) , meaning that we were able to have our own logic based on our requirements.
|
|
|
e5d196 |
|
|
|
e5d196 |
See our [pdns-custom-geoip-backend](https://github.com/CentOS/pdns-custom-geoip-backend) git repository that contains the simple code used for that and corresponding [pdns-pipe](https://github.com/CentOS/ansible-role-pdns-pipe) ansible role used to automatically deploy it.
|
|
|
e5d196 |
|
|
|
e5d196 |
Workflow for the `dynamic` backend :
|
|
|
e5d196 |
|
|
|
e5d196 |
* we have a central `nodes.db` sqlite3 DB that is where we use a specific schema to enter fqdn, ipv4/ipv6 address[es], region, continent, country, and if node is active or not (see `/var/lib/centos-infra/nodes.db`)
|
|
|
e5d196 |
* if we have to add/modify/remove a node we just do it in that sqlite DB
|
|
|
e5d196 |
* we then regenerate a .json file parsing DB and sorting in correct format that can be consummed by powerdns pipe backend (call the `/var/lib/centos-infra/gen_backend` script), that will also encrypt .json with gpg
|
|
|
e5d196 |
* delegated powerdns nodes will detect changes, decrypt files, and reload it in memory automatically
|
|
|
e5d196 |
|
|
|
e5d196 |
Worth knowing that for existing setup, and when we want to put a machine out of the pool, or add it back, we have a simple ansible adhoc-task (using prompt vars) that can be used for this : `adhoc-node-pdns-modify.yml` :
|
|
|
e5d196 |
|
|
|
e5d196 |
```
|
|
|
e5d196 |
ansible-playbook-prod playbooks/adhoc-node-pdns-modify.yml
|
|
|
e5d196 |
Host to modify in PowerDNS ? => : centosq7.centos.org
|
|
|
e5d196 |
Action (enable|disable) ? => : enable
|
|
|
e5d196 |
|
|
|
e5d196 |
PLAY [centosq7.centos.org] ********************************************************************************************
|
|
|
e5d196 |
|
|
|
e5d196 |
TASK [Enable/Disable msync node in PowerDNS geoip backend] ************************************************************
|
|
|
e5d196 |
Friday 25 June 2021 14:46:44 +0200 (0:00:07.333) 0:00:07.333 ***********
|
|
|
e5d196 |
changed: [centosq7.centos.org]
|
|
|
e5d196 |
|
|
|
e5d196 |
PLAY RECAP ************************************************************************************************************
|
|
|
e5d196 |
centosq7.centos.org : ok=1 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
|
|
|
e5d196 |
|
|
|
e5d196 |
Friday 25 June 2021 14:46:51 +0200 (0:00:06.806) 0:00:14.140 ***********
|
|
|
e5d196 |
===============================================================================
|
|
|
e5d196 |
Enable/Disable msync node in PowerDNS geoip backend ------------------------------------------------------------ 6.81s
|
|
|
e5d196 |
Playbook run took 0 days, 0 hours, 0 minutes, 14 seconds
|
|
|
e5d196 |
|
|
|
e5d196 |
```
|
|
|
e5d196 |
|
|
|
e5d196 |
|
|
|
5aab14 |
## Internal DNS setup
|
|
|
5aab14 |
|
|
|
5aab14 |
### Bind authoritative and resolvers
|
|
|
5aab14 |
|
|
|
e5d196 |
For DCs that we control (Red Hat ones) and for which we have internal zone/subnet and so different set of `internal` IPs, we also use Bind, but with other features added in our Ansible role, like allow recursion (specific ACL to let internal subnet uses bind both as authoritative *and* resolver)
|
|
|
e5d196 |
|
|
|
e5d196 |
The procedure to update a zone is identical to the one described for public zone, but surely coming from a different ansible inventory and so different `filestore` git repo (tied to that inventory/env)
|
|
|
e5d196 |
|
|
|
e5d196 |
Worth knowing that we (ab)use some specific feature like Response Policy Zones [RPZ](https://www.isc.org/rpz/) : that permits us to , while still internally, answers automatically and redirect known `external` records (like mirrorlist.centos.org) to an internal IP and so not query the `public` authoritative servers.
|
|
|
e5d196 |
|
|
|
e5d196 |
All that is supported by our [bind](https://github.com/centos/ansible-role-bind) Ansible role, so consider reading defaults/main.yml to see how that works, or have access in ansible inventory/filestore for real examples.
|
|
|
e5d196 |
|
|
|
e5d196 |
|
|
|
5aab14 |
### Unbound resolvers
|
|
|
e5d196 |
|
|
|
e5d196 |
In some specific subnets/environments we also use [Unbound](https://www.nlnetlabs.nl/projects/unbound/about/) which is a also a really lightweight/fast resolver, that supports plenty of features.
|
|
|
e5d196 |
|
|
|
e5d196 |
While not technically called RPZ, Unbound let you define some records, and forward other queries to other resolvers (forwarders).
|
|
|
e5d196 |
|
|
|
e5d196 |
Our [unbound](https://github.com/CentOS/ansible-role-unbound) ansible role supports such features, like :
|
|
|
e5d196 |
|
|
|
e5d196 |
* control ACL (for recursion)
|
|
|
e5d196 |
* override some specific records through ansible list
|
|
|
e5d196 |
* also parse *automatically* an ansible group itself to generate dynamically a kind of internal zone.
|
|
|
e5d196 |
|
|
|
e5d196 |
That last feature is the one we use (through `unbound_local_groups`) for the `internal` rdu2.centos.org zone, as when we'll add a new machine, and ip defined for the host/VM, unbound will automatically add it into computed file used by unbound.
|
|
|
e5d196 |
|
|
|
e5d196 |
|
|
|
e5d196 |
|