add acls

2024-06-27 20:03:41 -04:00 · 2024-06-27 20:03:41 -04:00 · 8cba8194b0
parent 71b11cdca3
commit 8cba8194b0
5 changed files with 38 additions and 5 deletions
--- a/Dockerfile.primary
+++ b/Dockerfile.primary
@ -1,6 +1,6 @@
 FROM ubuntu/bind9:9.18-22.04_beta

-LABEL version="20240625.1.1"
+LABEL version="20240627.1.1"
 LABEL description="bind9 primary nameserver"

 ENV BIND_LIB_DIR=/var/lib/bind
--- a/Dockerfile.secondary
+++ b/Dockerfile.secondary
@ -1,6 +1,6 @@
 FROM ubuntu/bind9:9.18-22.04_beta

-LABEL version="20240619.1.1"
+LABEL version="20240627.1.1"
 LABEL description="bind9 secondary nameserver"

 ENV BIND_LIB_DIR=/var/lib/bind
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -18,7 +18,7 @@ services:
    container_name: ns1
    build:
      dockerfile: Dockerfile.primary
-    image: docker-registry1.in.thelinuxpro.net:5000/tlp/bind9-primary:240625.1.1
+    image: docker-registry1.in.thelinuxpro.net:5000/tlp/bind9-primary:240627.1.1
    restart: always
    user: root
    environment:
@ -41,7 +41,7 @@ services:
    container_name: ns2
    build:
      dockerfile: Dockerfile.secondary
-    image: docker-registry1.in.thelinuxpro.net:5000/tlp/bind9-secondary:240619.1.1
+    image: docker-registry1.in.thelinuxpro.net:5000/tlp/bind9-secondary:240627.1.1
    restart: always
    user: root
    environment:
--- a/primary/etc/bind/named.conf
+++ b/primary/etc/bind/named.conf
@ -1,5 +1,4 @@
 options {
-
        directory "/var/lib/bind";
        dump-file "/var/log/named_dump.db";
        statistics-file "/var/log/named.stats";
@ -8,6 +7,19 @@ options {
        notify yes;
 };

+acl "internal-nets" {
+	10.200.254.224/27;  //Utility_net
+	10.200.99.192/26;   //client_net
+	10.200.97.224/27;   //IoT_net
+	10.200.17.240/28;   //SFDC
+	10.200.53.240/28;   //DNS
+	172.16.32.224/27;   //doorbell-ding-dong (Guest Network)
+	10.99.153.240/28;   //pub_dns
+	10.99.80.224/27;    //pub_web
+	10.99.22.0/24;	    //hyporvisors
+	10.99.23.0/24;	    //dev_infra
+};
+
 zone "thelinuxpro.net" in {
        type master;
        file "/var/lib/bind/db.thelinuxpro.net";
@ -19,6 +31,7 @@ zone "in.thelinuxpro.net" in {
        type master;
        file "/var/lib/bind/db.in.thelinuxpro.net";
 	allow-transfer { 10.99.153.242; };
+	allow-query { internal-nets; };
 	also-notify { 10.99.153.242; };
 };

@ -39,16 +52,19 @@ zone "thelinux.pro" in {
 zone "200.10.in-addr.arpa" in {
        type master;
        file "db.10.200";
+	allow-query { internal-nets; };
 };

 zone "99.10.in-addr.arpa" in {
        type master;
        file "db.10.99";
+	allow-query { internal-nets; };
 };

 zone "0.0.127.in-addr.arpa" in {
        type master;
        file "db.127";
+	allow-query { internal-nets; };
 };

 logging {
--- a/secondary/etc/bind/named.conf
+++ b/secondary/etc/bind/named.conf
@ -8,6 +8,19 @@ options {
        notify yes;
 };

+acl "internal-nets" {
+	10.200.254.224/27;  //Utility_net
+	10.200.99.192/26;   //client_net
+	10.200.97.224/27;   //IoT_net
+	10.200.17.240/28;   //SFDC
+	10.200.53.240/28;   //DNS
+	172.16.32.224/27;   //doorbell-ding-dong (Guest Network)
+	10.99.153.240/28;   //pub_dns
+	10.99.80.224/27;    //pub_web
+	10.99.22.0/24;	    //hyporvisors
+	10.99.23.0/24;	    //dev_infra
+};
+
 zone "thelinuxpro.net" in {
        type secondary;
        primaries { 10.99.153.241; };
@ -26,21 +39,25 @@ zone "thelinux.pro" in {
 zone "in.thelinuxpro.net" in {
        type secondary;
        primaries { 10.99.153.241; };
+	allow-query { internal-nets; };
 };

 zone "200.10.in-addr.arpa" in {
        type secondary;
        primaries { 10.99.153.241; };
+	allow-query { internal-nets; };
 };

 zone "99.10.in-addr.arpa" in {
        type secondary;
        primaries { 10.99.153.241; };
+	allow-query { internal-nets; };
 };

 zone "0.0.127.in-addr.arpa" in {
        type secondary;
        primaries { 10.99.153.241; };
+	allow-query { internal-nets; };
 };

 logging {