From 750477542776680c76994067340fcbea31f8b118 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Tue, 26 Mar 2013 20:32:03 +0100 Subject: [PATCH] Ajout : vm_hosted : rule_unbound_configure . --- etc/unbound/named.cache | 88 ++++++++++++++++++++++++++++++++ etc/unbound/unbound.conf | 106 +++++++++++++++++++++++++++++++++++++++ etc/vm.sh | 1 + vm_hosted | 21 ++++++++ 4 files changed, 216 insertions(+) create mode 100644 etc/unbound/named.cache create mode 100644 etc/unbound/unbound.conf diff --git a/etc/unbound/named.cache b/etc/unbound/named.cache new file mode 100644 index 0000000..6c19741 --- /dev/null +++ b/etc/unbound/named.cache @@ -0,0 +1,88 @@ +; This file holds the information on root name servers needed to +; initialize cache of Internet domain name servers +; (e.g. reference this file in the "cache . " +; configuration file of BIND domain name servers). +; +; This file is made available by InterNIC +; under anonymous FTP as +; file /domain/named.cache +; on server FTP.INTERNIC.NET +; -OR- RS.INTERNIC.NET +; +; last update: Jan 3, 2013 +; related version of root zone: 2013010300 +; +; formerly NS.INTERNIC.NET +; +. 3600000 IN NS A.ROOT-SERVERS.NET. +A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 +A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30 +; +; FORMERLY NS1.ISI.EDU +; +. 3600000 NS B.ROOT-SERVERS.NET. +B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201 +; +; FORMERLY C.PSI.NET +; +. 3600000 NS C.ROOT-SERVERS.NET. +C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 +; +; FORMERLY TERP.UMD.EDU +; +. 3600000 NS D.ROOT-SERVERS.NET. +D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13 +D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2D::D +; +; FORMERLY NS.NASA.GOV +; +. 3600000 NS E.ROOT-SERVERS.NET. +E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 +; +; FORMERLY NS.ISC.ORG +; +. 3600000 NS F.ROOT-SERVERS.NET. +F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 +F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2F::F +; +; FORMERLY NS.NIC.DDN.MIL +; +. 3600000 NS G.ROOT-SERVERS.NET. +G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 +; +; FORMERLY AOS.ARL.ARMY.MIL +; +. 3600000 NS H.ROOT-SERVERS.NET. +H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53 +H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::803F:235 +; +; FORMERLY NIC.NORDU.NET +; +. 3600000 NS I.ROOT-SERVERS.NET. +I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 +I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FE::53 +; +; OPERATED BY VERISIGN, INC. +; +. 3600000 NS J.ROOT-SERVERS.NET. +J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 +J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:C27::2:30 +; +; OPERATED BY RIPE NCC +; +. 3600000 NS K.ROOT-SERVERS.NET. +K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 +K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FD::1 +; +; OPERATED BY ICANN +; +. 3600000 NS L.ROOT-SERVERS.NET. +L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42 +L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42 +; +; OPERATED BY WIDE +; +. 3600000 NS M.ROOT-SERVERS.NET. +M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 +M.ROOT-SERVERS.NET. 3600000 AAAA 2001:DC3::35 +; End of File diff --git a/etc/unbound/unbound.conf b/etc/unbound/unbound.conf new file mode 100644 index 0000000..1498f59 --- /dev/null +++ b/etc/unbound/unbound.conf @@ -0,0 +1,106 @@ +server: + access-control: 0.0.0.0/0 deny + access-control: 127.0.0.0/8 allow_snoop + #access-control: ::0/0 refuse + #access-control: ::1 allow + #access-control: ::ffff:127.0.0.1 allow + #add-holddown: 2592000 # 30 days + auto-trust-anchor-file: "/var/lib/unbound/root.key" + #cache-max-ttl: 86400 + #cache-min-ttl: 0 + chroot: "" + #del-holddown: 2592000 # 30 days + directory: "/etc/unbound" + #dlv-anchor-file: "dlv.isc.org.key" + #do-daemonize: yes + do-ip4: yes + do-ip6: no + #do-not-query-address: 127.0.0.1/8 + #do-not-query-address: ::1 + #do-not-query-localhost: yes + do-tcp: yes + do-udp: yes + #domain-insecure: "" + #edns-buffer-size: 4096 + #extended-statistics: no + #harden-dnssec-stripped: yes + #harden-glue: yes + #harden-large-queries: no + #harden-referral-path: no + #harden-short-bufsize: no + hide-identity: yes + hide-version: yes + identity: "" + #incoming-num-tcp: 10 + #infra-cache-lame-size: 10k + infra-cache-numhosts: 10000 + #infra-cache-slabs: 4 + #infra-host-ttl: 900 + #infra-lame-ttl: 900 + #interface-automatic: no + interface: 127.0.0.1 + #jostle-timeout: 200 + #keep-missing: 31622400 # 366 days + #key-cache-size: 4m + #key-cache-slabs: 4 + #log-time-ascii: no + #logfile: "" + module-config: "iterator" + #msg-buffer-size: 65552 + msg-cache-size: 4m + #msg-cache-slabs: 4 + #neg-cache-size: 1m + #num-queries-per-thread: 1024 + #num-threads: 1 + outgoing-interface: OUTGOING_INTERFACE + #outgoing-num-tcp: 10 + outgoing-port-avoid: "3200-3208" + #outgoing-port-permit: 32768 + #outgoing-range: 4096 + #pidfile: "/run/unbound.pid" + port: 53 + #prefetch-key: no + #prefetch: no + #private-address: 10.0.0.0/8 + #private-address: 172.16.0.0/12 + #private-address: 192.168.0.0/16 + #private-address: 192.254.0.0/16 + #private-address: fd00::/8 + #private-address: fe80::/10 + #private-domain: "example.com" + root-hints: "named.cache" + rrset-cache-size: 4m + #rrset-cache-slabs: 4 + #so-rcvbuf: 0 + #statistics-cumulative: no + #statistics-interval: 0 + #target-fetch-policy: "3 2 1 0 0" + #trust-anchor-file: "" + #trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A" + #trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ==" + #trusted-keys-file: "" + #unwanted-reply-threshold: 10000000 + #use-caps-for-id: no + use-syslog: yes + username: "unbound" + val-bogus-ttl: 60 + #val-clean-additional: yes + #val-log-level: 1 + #val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500" + #val-override-date: "" + #val-permissive-mode: no + #val-sig-skew-max: 86400 + #val-sig-skew-min: 3600 + verbosity: 1 + version: "" +python: + #python-script: "/etc/unbound/ubmodule-tst.py" +remote-control: + control-cert-file: "/etc/unbound/unbound_control.pem" + control-enable: yes + control-interface: 127.0.0.1 + #control-interface: ::1 + control-key-file: "/etc/unbound/unbound_control.key" + control-port: 9953 + server-cert-file: "/etc/unbound/unbound_server.pem" + server-key-file: "/etc/unbound/unbound_server.key" diff --git a/etc/vm.sh b/etc/vm.sh index eb4b556..3e539b8 100644 --- a/etc/vm.sh +++ b/etc/vm.sh @@ -7,6 +7,7 @@ readonly vm_hostname="ateliers" readonly vm_fqdn="$vm_hostname.$vm_domainname" readonly vm=$vm_hostname readonly vm_host="rouf.grenode.net" +readonly vm_host_nameserver="91.216.110.110" readonly vm_use_lvm="yes" # - sans LVM : diff --git a/vm_hosted b/vm_hosted index 91ec25a..134b539 100755 --- a/vm_hosted +++ b/vm_hosted @@ -748,6 +748,10 @@ rule_network_configure () { $(cat /etc/hosts) 127.0.0.1 $vm_fqdn $vm EOF + sudo install -m 644 -o root -g root /dev/stdin /etc/resolv.conf <<-EOF + search ${vm_host#*.} + nameserver ${vm_host_nameserver} + EOF sudo install -m 644 -o root -g root /dev/stdin /etc/network/interfaces <<-EOF auto lo iface lo inet loopback @@ -1283,6 +1287,23 @@ rule_time_configure () { rule dpkg_reconfigure tzdata rule apt_get_install ntp } +rule_unbound_configure () { + sudo apt-get install unbound m4 + sudo install -m 644 -o root -g root /dev/stdin /etc/resolv.conf <<-EOF + search ${vm_host#*.} + nameserver 127.0.0.1 + #nameserver ${vm_host_nameserver} + EOF + sudo install -m 440 -o unbound -g unbound \ + "$tool"/etc/unbound/named.cache \ + /etc/unbound/named.cache + m4 \ + --define=OUTGOING_INTERFACE=$vm_ipv4 \ + <"$tool"/etc/unbound/unbound.conf | + sudo install -m 440 -o unbound -g unbound /dev/stdin \ + /etc/unbound/unbound.conf + sudo service unbound restart + } rule_user_add () { # SYNTAX: $user rule user_configure local user=$1 -- 2.20.1