From 786724ae8d252a829f44b50cf9fcd2a48a377cbe Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Sat, 6 May 2023 11:53:26 -0500 Subject: [PATCH] Replaced coredns with Bind. --- config-parts/container.sh | 60 +++++++++------ config-parts/service-dhcp_server.sh | 3 - config-parts/system-static_host_mapping.sh | 40 ---------- containers/.gitignore | 2 +- containers/{coredns => bind}/.gitignore | 9 +-- containers/bind/config/named.conf | 73 +++++++++++++++++++ .../bind/config/zones/db.1.10.in-addr.arpa | 36 +++++++++ containers/bind/config/zones/db.hsn.dev | 23 ++++++ containers/bind/config/zones/db.jahanson.tech | 41 +++++++++++ containers/bind/config/zones/db.unifi | 19 +++++ containers/coredns/config/Corefile | 60 --------------- containers/dnsdist/config/dnsdist.conf | 56 +++++++------- 12 files changed, 264 insertions(+), 158 deletions(-) delete mode 100644 config-parts/system-static_host_mapping.sh rename containers/{coredns => bind}/.gitignore (50%) create mode 100644 containers/bind/config/named.conf create mode 100644 containers/bind/config/zones/db.1.10.in-addr.arpa create mode 100644 containers/bind/config/zones/db.hsn.dev create mode 100644 containers/bind/config/zones/db.jahanson.tech create mode 100644 containers/bind/config/zones/db.unifi delete mode 100644 containers/coredns/config/Corefile diff --git a/config-parts/container.sh b/config-parts/container.sh index aab19d3..8a3b092 100644 --- a/config-parts/container.sh +++ b/config-parts/container.sh @@ -16,22 +16,37 @@ set container name cloudflare-ddns memory '0' set container name cloudflare-ddns restart 'on-failure' set container name cloudflare-ddns shared-memory '0' -# coredns - main instance -set container name coredns cap-add 'net-bind-service' -set container name coredns image 'docker.io/coredns/coredns:1.10.1' -set container name coredns memory '0' -set container name coredns network services address '10.5.0.3' -set container name coredns restart 'on-failure' -set container name coredns shared-memory '0' -set container name coredns volume config destination '/config' -set container name coredns volume config source '/config/containers/coredns/config' -set container name coredns volume config mode 'ro' -set container name coredns volume corefile destination '/Corefile' -set container name coredns volume corefile source '/config/containers/coredns/config/Corefile' -set container name coredns volume corefile mode 'ro' -set container name coredns volume vyoshosts destination '/host/etc/hosts' -set container name coredns volume vyoshosts source '/etc/hosts' -set container name coredns volume vyoshosts mode 'ro' +# # coredns - main instance +# set container name coredns cap-add 'net-bind-service' +# set container name coredns image 'docker.io/coredns/coredns:1.10.1' +# set container name coredns memory '0' +# set container name coredns network services address '10.5.0.3' +# set container name coredns restart 'on-failure' +# set container name coredns shared-memory '0' +# set container name coredns volume config destination '/config' +# set container name coredns volume config source '/config/containers/coredns/config' +# set container name coredns volume config mode 'ro' +# set container name coredns volume corefile destination '/Corefile' +# set container name coredns volume corefile source '/config/containers/coredns/config/Corefile' +# set container name coredns volume corefile mode 'ro' +# set container name coredns volume vyoshosts destination '/host/etc/hosts' +# set container name coredns volume vyoshosts source '/etc/hosts' +# set container name coredns volume vyoshosts mode 'ro' + +# bind +set container name bind cap-add 'net-bind-service' +set container name bind image 'docker.io/internetsystemsconsortium/bind9:9.19' +set container name bind command '/usr/sbin/named -4 -f -c /etc/bind/named.conf -u bind' +set container name bind memory '0' +set container name bind network services address '10.5.0.3' +set container name bind restart 'on-failure' +set container name bind shared-memory '0' +set container name bind volume config source '/config/containers/bind/config' +set container name bind volume config destination '/etc/bind' +set container name bind volume config mode 'ro' +set container name bind volume cache source '/tmp/bind/cache' +set container name bind volume cache destination '/var/cache/bind' +set container name bind volume cache mode 'rw' # dnsdist set container name dnsdist cap-add 'net-bind-service' @@ -41,8 +56,8 @@ set container name dnsdist memory '0' set container name dnsdist network services address '10.5.0.4' set container name dnsdist restart 'on-failure' set container name dnsdist shared-memory '0' -set container name dnsdist volume config destination '/etc/dnsdist/dnsdist.conf' set container name dnsdist volume config source '/config/containers/dnsdist/config/dnsdist.conf' +set container name dnsdist volume config destination '/etc/dnsdist/dnsdist.conf' set container name dnsdist volume config mode 'ro' # haproxy-k8s-api @@ -51,8 +66,8 @@ set container name haproxy-k8s-api memory '0' set container name haproxy-k8s-api network services address '10.5.0.2' set container name haproxy-k8s-api restart 'on-failure' set container name haproxy-k8s-api shared-memory '0' -set container name haproxy-k8s-api volume config destination '/usr/local/etc/haproxy/haproxy.cfg' set container name haproxy-k8s-api volume config source '/config/containers/haproxy/config/haproxy.cfg' +set container name haproxy-k8s-api volume config destination '/usr/local/etc/haproxy/haproxy.cfg' set container name haproxy-k8s-api volume config mode 'ro' # node-exporter @@ -64,15 +79,15 @@ set container name node-exporter memory '0' set container name node-exporter network services address '10.5.0.7' set container name node-exporter restart 'on-failure' set container name node-exporter shared-memory '0' +set container name node-exporter volume procfs source '/proc' set container name node-exporter volume procfs destination '/host/proc' set container name node-exporter volume procfs mode 'ro' -set container name node-exporter volume procfs source '/proc' +set container name node-exporter volume rootfs source '/' set container name node-exporter volume rootfs destination '/host/rootfs' set container name node-exporter volume rootfs mode 'ro' -set container name node-exporter volume rootfs source '/' +set container name node-exporter volume sysfs source '/sys' set container name node-exporter volume sysfs destination '/host/sys' set container name node-exporter volume sysfs mode 'ro' -set container name node-exporter volume sysfs source '/sys' # speedtest-exporter set container name speedtest-exporter image 'ghcr.io/miguelndecarvalho/speedtest-exporter:v3.5.3' @@ -118,8 +133,9 @@ set container name unifi memory '0' set container name unifi network services address '10.5.0.10' set container name unifi restart 'on-failure' set container name unifi shared-memory '0' -set container name unifi volume data destination '/unifi' set container name unifi volume data source '/config/containers/unifi' +set container name unifi volume data destination '/unifi' +set container name unifi volume data mode 'rw' # onepassword-connect set container name onepassword-connect image 'docker.io/1password/connect-api:1.7.0' diff --git a/config-parts/service-dhcp_server.sh b/config-parts/service-dhcp_server.sh index 512b0f2..731aeaf 100644 --- a/config-parts/service-dhcp_server.sh +++ b/config-parts/service-dhcp_server.sh @@ -1,8 +1,5 @@ #!/bin/vbash -set service dhcp-server hostfile-update -set service dhcp-server host-decl-name - # Guest VLAN set service dhcp-server shared-network-name GUEST authoritative set service dhcp-server shared-network-name GUEST ping-check diff --git a/config-parts/system-static_host_mapping.sh b/config-parts/system-static_host_mapping.sh deleted file mode 100644 index a0c167b..0000000 --- a/config-parts/system-static_host_mapping.sh +++ /dev/null @@ -1,40 +0,0 @@ -# Gateway -set system static-host-mapping host-name gateway.jahanson.tech inet 10.1.0.1 -set system static-host-mapping host-name gateway.jahanson.tech alias vpn.hsn.dev -set system static-host-mapping host-name gateway.jahanson.tech alias ipv4.hsn.dev - -# Unifi controller -set system static-host-mapping host-name unifi inet 10.5.0.10 - -# 1Password Connect -set system static-host-mapping host-name onepassword-connect.hsn.dev inet 10.5.0.5 - -# NAS -set system static-host-mapping host-name elessar.jahanson.tech inet 10.1.1.11 -set system static-host-mapping host-name elessar.jahanson.tech alias nas.jahanson.tech -set system static-host-mapping host-name elessar.jahanson.tech alias minio.hsn.dev -set system static-host-mapping host-name elessar.jahanson.tech alias s3.hsn.dev - -# Home Assistant -set system static-host-mapping host-name homeassistant.jahanson.tech inet 10.1.1.13 - -# Kubernetes hosts -set system static-host-mapping host-name gandalf.jahanson.tech inet 10.1.1.31 -set system static-host-mapping host-name glamdring.jahanson.tech inet 10.1.1.32 -set system static-host-mapping host-name shadowfax.jahanson.tech inet 10.1.1.33 - -# Kubernetes cluster VIP -set system static-host-mapping host-name cluster-0.jahanson.tech inet 10.5.0.2 - -# Other hosts -set system static-host-mapping host-name sting.jahanson.tech inet 10.1.1.12 -set system static-host-mapping host-name frodo.jahanson.tech inet 10.1.1.52 -set system static-host-mapping host-name frodo.jahanson.tech alias pikvm.jahanson.tech -set system static-host-mapping host-name nextcloud.jahanson.tech inet 10.1.1.51 - -set system static-host-mapping host-name driveway-camera-doorbell.jahanson.tech inet 10.1.4.12 -set system static-host-mapping host-name hallway-zigbee-adapter.jahanson.tech inet 10.1.3.46 -set system static-host-mapping host-name garage-tablet.jahanson.tech inet 10.1.3.54 -set system static-host-mapping host-name hallway-tablet.jahanson.tech inet 10.1.3.53 -set system static-host-mapping host-name livingroom-vacuum.jahanson.tech inet 10.1.3.18 -set system static-host-mapping host-name upstairs-vacuum.jahanson.tech inet 10.1.3.22 diff --git a/containers/.gitignore b/containers/.gitignore index 4c4abf1..de2fc1d 100644 --- a/containers/.gitignore +++ b/containers/.gitignore @@ -4,7 +4,7 @@ # Track certain files and directories !.gitignore -!/coredns/ +!/bind/ !/dnsdist/ !/haproxy/ !/unifi/ diff --git a/containers/coredns/.gitignore b/containers/bind/.gitignore similarity index 50% rename from containers/coredns/.gitignore rename to containers/bind/.gitignore index 4532e68..8a41177 100644 --- a/containers/coredns/.gitignore +++ b/containers/bind/.gitignore @@ -6,9 +6,8 @@ !/config/ /config/* -!/config/Corefile -!/config/custom-hosts -!/config-vyos/ -/config-vyos/* -!/config-vyos/Corefile +!/config/named.conf +!/config/zones/ +/config/zones/* +!/config/zones/db.* diff --git a/containers/bind/config/named.conf b/containers/bind/config/named.conf new file mode 100644 index 0000000..605b18c --- /dev/null +++ b/containers/bind/config/named.conf @@ -0,0 +1,73 @@ +# Only define the known VLAN subnets as trusted +acl "trusted" { + 10.1.0.0/24; # LAN + 10.1.1.0/24; # SERVERS + 10.1.2.0/24; # TRUSTED + 10.1.3.0/24; # IOT + 10.1.4.0/24; # VIDEO + 192.168.2.0/24; # GUEST + 10.0.11.0/24; # WIREGUARD + 10.5.0.0/24; # SERVICES +}; + +options { + directory "/var/cache/bind"; + listen-on { 127.0.0.1; 10.5.0.3; }; + + allow-recursion { + trusted; + }; + allow-transfer { + none; + }; + allow-update { + none; + }; +}; + +logging { + channel stdout { + stderr; + severity info; + print-category yes; + print-severity yes; + print-time yes; + }; + category security { stdout; }; + category dnssec { stdout; }; + category default { stdout; }; +}; + +include "/etc/bind/rndc.key"; +include "/etc/bind/externaldns.key"; + +controls { + inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; }; +}; + +zone "unifi." { + type master; + file "/etc/bind/zones/db.unifi"; +}; + +zone "jahanson.tech." { + type master; + file "/etc/bind/zones/db.jahanson.tech"; +}; + +zone "hsn.dev." { + type master; + file "/etc/bind/zones/db.hsn.dev"; + journal "/var/cache/bind/db.hsn.dev.jnl"; + allow-transfer { + key "externaldns"; + }; + update-policy { + grant externaldns zonesub ANY; + }; +}; + +zone "1.10.in-addr.arpa." { + type master; + file "/etc/bind/zones/db.1.10.in-addr.arpa"; +}; \ No newline at end of file diff --git a/containers/bind/config/zones/db.1.10.in-addr.arpa b/containers/bind/config/zones/db.1.10.in-addr.arpa new file mode 100644 index 0000000..2d59a7a --- /dev/null +++ b/containers/bind/config/zones/db.1.10.in-addr.arpa @@ -0,0 +1,36 @@ +; Make sure to update the epoch time in the SOA records so coreDNS picks up the changes automatically +; https://www.epochconverter.com/ + +; SOA Records +$TTL 3600 +$ORIGIN 1.10.in-addr.arpa. +@ 3600 IN SOA gateway.jahanson.tech. gateway.jahanson.tech. ( + 1683235219 ; serial number (epoch timestamp) + 7200 ; refresh period + 3600 ; retry period + 1209600 ; expire time + 3600 ; minimum ttl +) + +; NS Records +@ IN NS gateway.jahanson.tech. + +; Reset origin +$ORIGIN in-addr.arpa. + +; LAN +1.0.1.10 IN PTR gateway.jahanson.tech. + +; Servers +11.1.1.10 IN PTR elessar.jahanson.tech. +31.1.1.10 IN PTR gandalf.jahanson.tech. +32.1.1.10 IN PTR glamdring.jahanson.tech. +33.1.1.10 IN PTR shadowfax.jahanson.tech. +51.1.1.10 IN PTR nextcloud.jahanson.tech. +52.1.1.10 IN PTR frodo.jahanson.tech. + +; IOT +18.3.1.10 IN PTR livingroom-vacuum.jahanson.tech. + +; Video +12.4.1.10 IN PTR driveway-camera.jahanson.tech. diff --git a/containers/bind/config/zones/db.hsn.dev b/containers/bind/config/zones/db.hsn.dev new file mode 100644 index 0000000..96874a1 --- /dev/null +++ b/containers/bind/config/zones/db.hsn.dev @@ -0,0 +1,23 @@ +; Make sure to update the epoch time in the SOA records so coreDNS picks up the changes automatically +; https://www.epochconverter.com/ + +; SOA Records +$TTL 3600 +$ORIGIN hsn.dev. +@ 3600 IN SOA gateway.jahanson.tech. gateway.jahanson.tech. ( + 1683235219 ; serial number (epoch timestamp) + 7200 ; refresh period + 3600 ; retry period + 1209600 ; expire time + 3600 ; minimum ttl +) + +; NS Records +@ IN NS gateway.jahanson.tech. + +; Services +onepassword-connect IN A 10.5.0.5 + +; CNAME Records +s3 IN CNAME nas.jahanson.tech. +vpn IN CNAME gateway.jahanson.tech. diff --git a/containers/bind/config/zones/db.jahanson.tech b/containers/bind/config/zones/db.jahanson.tech new file mode 100644 index 0000000..ae37c0f --- /dev/null +++ b/containers/bind/config/zones/db.jahanson.tech @@ -0,0 +1,41 @@ +; Make sure to update the epoch time in the SOA records so coreDNS picks up the changes automatically +; https://www.epochconverter.com/ + +; SOA Records +$TTL 3600 +$ORIGIN jahanson.tech. +@ 3600 IN SOA gateway.jahanson.tech. gateway.jahanson.tech. ( + 1683235219 ; serial number (epoch timestamp) + 7200 ; refresh period + 3600 ; retry period + 1209600 ; expire time + 3600 ; minimum ttl +) + +; NS Records +@ IN NS gateway.jahanson.tech. + +; LAN +gateway IN A 10.1.0.1 + +; Servers +elessar IN A 10.1.1.11 +gandalf IN A 10.1.1.31 +glamdring IN A 10.1.1.32 +shadowfax IN A 10.1.1.33 +nextcloud IN A 10.1.1.51 +frodo IN A 10.1.1.52 + +; IOT +livingroom-vacuum IN A 10.1.3.18 + +; Video +driveway-camera l IN A 10.1.4.12 + +; Services +cluster-0 IN A 10.5.0.2 + +; CNAME records +nas IN CNAME elessar.jahanson.tech. +pikvm IN CNAME frodo.jahanson.tech. +s3 IN CNAME gateway.jahanson.tech. diff --git a/containers/bind/config/zones/db.unifi b/containers/bind/config/zones/db.unifi new file mode 100644 index 0000000..7c0c9ec --- /dev/null +++ b/containers/bind/config/zones/db.unifi @@ -0,0 +1,19 @@ +; Make sure to update the epoch time in the SOA records so coreDNS picks up the changes automatically +; https://www.epochconverter.com/ + +; SOA Records +$TTL 3600 +$ORIGIN unifi. +@ 3600 IN SOA gateway.jahanson.tech. gateway.jahanson.tech. ( + 1683235219 ; serial number (epoch timestamp) + 7200 ; refresh period + 3600 ; retry period + 1209600 ; expire time + 3600 ; minimum ttl +) + +; NS Records +@ IN NS gateway.jahanson.tech. + +; CNAME Records +@ IN A 10.5.0.10 diff --git a/containers/coredns/config/Corefile b/containers/coredns/config/Corefile deleted file mode 100644 index a93169d..0000000 --- a/containers/coredns/config/Corefile +++ /dev/null @@ -1,60 +0,0 @@ -(common) { - errors - log error - reload - loadbalance - cache - loop - local - - prometheus :9153 - - health { - lameduck 5s - } -} - -(k8s_gateway) { - forward . 10.45.0.3:53 -} - -unifi { - import common - hosts /host/etc/hosts { - ttl 1 - reload 5s - } -} - -# Hack to prevent the gatway returning 127.0.0.1 from /etc/hosts -gateway.jahanson.tech { - import common - template IN A gateway.jahanson.tech { - answer "{{ .Name }} 60 IN A 10.1.0.1" - } -} - -hsn.dev { - import common - hosts /host/etc/hosts { - ttl 1 - reload 5s - fallthrough - } - import k8s_gateway -} - -jahanson.tech { - import common - hosts /host/etc/hosts { - ttl 1 - reload 5s - } -} - -1.10.in-addr.arpa { - hosts /host/etc/hosts { - ttl 1 - reload 5s - } -} diff --git a/containers/dnsdist/config/dnsdist.conf b/containers/dnsdist/config/dnsdist.conf index d84a6d9..625cfef 100644 --- a/containers/dnsdist/config/dnsdist.conf +++ b/containers/dnsdist/config/dnsdist.conf @@ -1,46 +1,47 @@ -- udp/tcp dns listening setLocal("0.0.0.0:53", {}) --- Local CoreDNS +-- Local Bind newServer({ address = "10.5.0.3", - pool = "coredns" + pool = "bind", + checkName = "gateway.jahanson.tech" }) --- ControlD - Servers +-- NextDNS - Servers newServer({ - address = "76.76.2.22:443", + address = "188.172.251.1:443", tls = "openssl", - subjectName = "dns.controld.com", - dohPath = "/14pk0z49y0u", + subjectName = "8d3cd7.dns.nextdns.io", + dohPath = "/8d3cd7", validateCertificates = true, checkInterval = 10, checkTimeout = 2000, - pool = "controld_servers" + pool = "nextdns_servers" }) --- ControlD - Trusted +-- NextDNS - Trusted newServer({ - address = "76.76.2.22:443", + address = "188.172.251.1:443", tls = "openssl", - subjectName = "dns.controld.com", - dohPath = "/7l9xgidtyr", + subjectName = "d79ecb.dns.nextdns.io", + dohPath = "/d79ecb", validateCertificates = true, checkInterval = 10, checkTimeout = 2000, - pool = "controld_trusted" + pool = "nextdns_trusted" }) --- ControlD - IoT +-- NextDNS - IoT newServer({ - address = "76.76.2.22:443", + address = "188.172.251.1:443", tls = "openssl", - subjectName = "dns.controld.com", - dohPath = "/227g88d4fp5", + subjectName = "e29a3c.dns.nextdns.io", + dohPath = "/e29a3c", validateCertificates = true, checkInterval = 10, checkTimeout = 2000, - pool = "controld_iot" + pool = "nextdns_iot" }) -- CloudFlare DNS over TLS @@ -78,14 +79,15 @@ getPool(""):setCache(pc) -- addResponseAction(AllRule(), LogResponseAction("", false, true, false, false)) -- Routing rules -addAction('unifi', PoolAction('coredns')) -addAction('hsn.dev', PoolAction('coredns')) -addAction('jahanson.tech', PoolAction('coredns')) -addAction('1.10.in-addr.arpa', PoolAction('coredns')) - -addAction("10.1.0.0/24", PoolAction("controld_servers")) -- lan -addAction("10.1.1.0/24", PoolAction("controld_servers")) -- servers vlan -addAction("10.1.2.0/24", PoolAction("controld_trusted")) -- trusted vlan -addAction("10.1.3.0/24", PoolAction("controld_iot")) -- iot vlan -addAction("10.0.11.0/24", PoolAction("controld_trusted")) -- wg_trusted vlan addAction("192.168.2.0/24", PoolAction("cloudflare")) -- guest vlan +addAction("192.168.2.0/24", DropAction()) -- stop processing +addAction('unifi', PoolAction('bind')) +addAction('hsn.dev', PoolAction('bind')) +addAction('jahanson.tech', PoolAction('bind')) +addAction('1.10.in-addr.arpa', PoolAction('bind')) + +addAction("10.1.0.0/24", PoolAction("nextdns_servers")) -- lan +addAction("10.1.1.0/24", PoolAction("nextdns_servers")) -- servers vlan +addAction("10.1.2.0/24", PoolAction("nextdns_trusted")) -- trusted vlan +addAction("10.1.3.0/24", PoolAction("nextdns_iot")) -- iot vlan +addAction("10.0.11.0/24", PoolAction("nextdns_trusted")) -- wg_trusted vlan \ No newline at end of file