From 8cba8194b0fd60aa6fe7c9897f6a3cc5b90968e7 Mon Sep 17 00:00:00 2001 From: Kameron Kenny <1267885+kkenny@users.noreply.github.com> Date: Thu, 27 Jun 2024 20:03:41 -0400 Subject: [PATCH] add acls --- Dockerfile.primary | 2 +- Dockerfile.secondary | 2 +- docker-compose.yml | 4 ++-- primary/etc/bind/named.conf | 18 +++++++++++++++++- secondary/etc/bind/named.conf | 17 +++++++++++++++++ 5 files changed, 38 insertions(+), 5 deletions(-) diff --git a/Dockerfile.primary b/Dockerfile.primary index e524a1c..e73bebc 100644 --- a/Dockerfile.primary +++ b/Dockerfile.primary @@ -1,6 +1,6 @@ FROM ubuntu/bind9:9.18-22.04_beta -LABEL version="20240625.1.1" +LABEL version="20240627.1.1" LABEL description="bind9 primary nameserver" ENV BIND_LIB_DIR=/var/lib/bind diff --git a/Dockerfile.secondary b/Dockerfile.secondary index 4eb4c86..70e124d 100644 --- a/Dockerfile.secondary +++ b/Dockerfile.secondary @@ -1,6 +1,6 @@ FROM ubuntu/bind9:9.18-22.04_beta -LABEL version="20240619.1.1" +LABEL version="20240627.1.1" LABEL description="bind9 secondary nameserver" ENV BIND_LIB_DIR=/var/lib/bind diff --git a/docker-compose.yml b/docker-compose.yml index 9b60828..08bdd7e 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -18,7 +18,7 @@ services: container_name: ns1 build: dockerfile: Dockerfile.primary - image: docker-registry1.in.thelinuxpro.net:5000/tlp/bind9-primary:240625.1.1 + image: docker-registry1.in.thelinuxpro.net:5000/tlp/bind9-primary:240627.1.1 restart: always user: root environment: @@ -41,7 +41,7 @@ services: container_name: ns2 build: dockerfile: Dockerfile.secondary - image: docker-registry1.in.thelinuxpro.net:5000/tlp/bind9-secondary:240619.1.1 + image: docker-registry1.in.thelinuxpro.net:5000/tlp/bind9-secondary:240627.1.1 restart: always user: root environment: diff --git a/primary/etc/bind/named.conf b/primary/etc/bind/named.conf index cd5464e..e5eb18c 100755 --- a/primary/etc/bind/named.conf +++ b/primary/etc/bind/named.conf @@ -1,5 +1,4 @@ options { - directory "/var/lib/bind"; dump-file "/var/log/named_dump.db"; statistics-file "/var/log/named.stats"; @@ -8,6 +7,19 @@ options { notify yes; }; +acl "internal-nets" { + 10.200.254.224/27; //Utility_net + 10.200.99.192/26; //client_net + 10.200.97.224/27; //IoT_net + 10.200.17.240/28; //SFDC + 10.200.53.240/28; //DNS + 172.16.32.224/27; //doorbell-ding-dong (Guest Network) + 10.99.153.240/28; //pub_dns + 10.99.80.224/27; //pub_web + 10.99.22.0/24; //hyporvisors + 10.99.23.0/24; //dev_infra +}; + zone "thelinuxpro.net" in { type master; file "/var/lib/bind/db.thelinuxpro.net"; @@ -19,6 +31,7 @@ zone "in.thelinuxpro.net" in { type master; file "/var/lib/bind/db.in.thelinuxpro.net"; allow-transfer { 10.99.153.242; }; + allow-query { internal-nets; }; also-notify { 10.99.153.242; }; }; @@ -39,16 +52,19 @@ zone "thelinux.pro" in { zone "200.10.in-addr.arpa" in { type master; file "db.10.200"; + allow-query { internal-nets; }; }; zone "99.10.in-addr.arpa" in { type master; file "db.10.99"; + allow-query { internal-nets; }; }; zone "0.0.127.in-addr.arpa" in { type master; file "db.127"; + allow-query { internal-nets; }; }; logging { diff --git a/secondary/etc/bind/named.conf b/secondary/etc/bind/named.conf index 11e46d8..a429f0c 100755 --- a/secondary/etc/bind/named.conf +++ b/secondary/etc/bind/named.conf @@ -8,6 +8,19 @@ options { notify yes; }; +acl "internal-nets" { + 10.200.254.224/27; //Utility_net + 10.200.99.192/26; //client_net + 10.200.97.224/27; //IoT_net + 10.200.17.240/28; //SFDC + 10.200.53.240/28; //DNS + 172.16.32.224/27; //doorbell-ding-dong (Guest Network) + 10.99.153.240/28; //pub_dns + 10.99.80.224/27; //pub_web + 10.99.22.0/24; //hyporvisors + 10.99.23.0/24; //dev_infra +}; + zone "thelinuxpro.net" in { type secondary; primaries { 10.99.153.241; }; @@ -26,21 +39,25 @@ zone "thelinux.pro" in { zone "in.thelinuxpro.net" in { type secondary; primaries { 10.99.153.241; }; + allow-query { internal-nets; }; }; zone "200.10.in-addr.arpa" in { type secondary; primaries { 10.99.153.241; }; + allow-query { internal-nets; }; }; zone "99.10.in-addr.arpa" in { type secondary; primaries { 10.99.153.241; }; + allow-query { internal-nets; }; }; zone "0.0.127.in-addr.arpa" in { type secondary; primaries { 10.99.153.241; }; + allow-query { internal-nets; }; }; logging {