added two nsd's for handling the split horizon

author: Andreas Baumann <mail@andreasbaumann.cc> 2016-01-24 17:25:14 +0100
committer: Andreas Baumann <mail@andreasbaumann.cc> 2016-01-24 17:25:14 +0100
commit: 2509dfb2b4455536649fc9e3090f602fc1d3d21e (patch)
tree: 6c47da261b2ba466f6b4a4f01b49c0f5d5c32d93 /config
parent: 0f0878e6820f8fd04fa4f06290e6ed2f061ed6e9 (diff)
download: OpenBSD-firewall-2509dfb2b4455536649fc9e3090f602fc1d3d21e.tar.gz
OpenBSD-firewall-2509dfb2b4455536649fc9e3090f602fc1d3d21e.tar.bz2
19 files changed, 98 insertions, 177 deletions
diff --git a/config/obr/named/etc/named.conf b/config/obr/named/etc/named.conf
deleted file mode 100644
index 24b6a65..0000000
--- a/config/obr/named/etc/named.conf
+++ /dev/null
@@ -1,134 +0,0 @@
-include "/etc/rndc.key";
-
-controls {
-  inet 127.0.0.1 port 953
-  allow { 127.0.0.1; }
-  keys { "rndc-key"; };
-};
-
-acl "BuddyNsTransferDns" {
-  173.244.206.25;
-  173.244.206.26;
-  88.198.106.11;
-};
-
-acl "BuddyNsQueryDns" {
-  173.244.206.25;
-  173.244.206.26;
-  88.198.106.11;
-};
-
-acl "MyClients" {
-  192.168.1.0/24;
-  127.0.0.1;
-  ::1;
-};
-
-options {
-  version "";
-
-  directory "/";
-
-  interface-interval 0;
-
-  listen-on { any; };
-  listen-on-v6 { none; };
-
-  empty-zones-enable yes;
-
-  allow-query {
-    MyClients;
-    BuddyNsQueryDns;
-  };
-
-  allow-transfer {
-    BuddyNsTransferDns;
-  };
-
-  allow-recursion { MyClients; };
-
-  forwarders { 194.246.118.118; 212.25.28.55; };
-};
-
-logging {
-  category lame-servers { null; };
-};
-
-view "internal" {
-  match-clients { MyClients; };
-
-  zone "." {
-    type hint;
-    file "etc/root.hint";
-  }; 
-
-  zone "localhost" {
-    type master;
-    file "standard/localhost";
-    allow-transfer { localhost; };
-  };
-
-  zone "127.in-addr.arpa" {
-    type master;
-    file "standard/loopback";
-    allow-transfer { localhost; };
-  };
-
-  zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
-    type master;
-    file "standard/loopback6.arpa";
-    allow-transfer { localhost; };
-  };
-
-  # TODO: Don't use!! TLDs can be anything nowadays..
-  zone "lan" {
-    type master;
-    file "master/lan";
-  };
-
-  zone "1.168.192.in-addr.arpa" {
-    type master;
-    file "master/1.168.192.in-addr";
-  };
-
-  zone "andreasbaumann.cc" {
-    type master;
-    file "master/andreasbaumann.cc-internal";
-  };
-
-  zone "bikecentum.com" {
-    type master;
-    file "master/bikecentum.com-internal";
-  };
-
-  zone "maschezuoz.ch" {
-    type master;
-    file "master/maschezuoz.ch-internal";
-  };
-
-  zone "project-strus.net" {
-    type master;
-    file "master/project-strus.net-internal";
-  };
-
-};
-
-view "external" {
-  match-clients { BuddyNsQueryDns; };
-
-  zone "andreasbaumann.cc" {
-    type master;
-    file "master/andreasbaumann.cc-external";
-  };
-
-  zone "bikecentum.com" {
-    type master;
-    file "master/bikecentum.com-external";
-  };
-
-  zone "maschezuoz.ch" {
-    type master;
-    file "master/maschezuoz.ch-external";
-  };
-
-};
diff --git a/config/obr/nsd-external/etc/nsd.conf b/config/obr/nsd-external/etc/nsd.conf
new file mode 100644
index 0000000..e0c65cb
--- /dev/null
+++ b/config/obr/nsd-external/etc/nsd.conf
@@ -0,0 +1,43 @@
+# $OpenBSD: nsd.conf,v 1.11 2015/04/12 11:49:39 sthen Exp $
+
+server:
+	hide-version: yes
+	verbosity: 1
+	ip-address: 83.150.2.48@53
+	chroot: "/var/nsd-external"
+	zonesdir: "/var/nsd-external/zones"
+	pidfile: "/var/nsd-external/run/nsd.pid"
+	xfrdfile: "/var/nsd-external/run/xfrd.state"
+	xfrdir: "/var/nsd-external/run/xfr"
+	zonelistfile: "/var/nsd-external/db/zone.list"
+	database: ""
+
+remote-control:
+	control-enable: yes
+	control-interface: 127.0.0.1
+	control-port: 8954
+	server-cert-file: "/var/nsd-external/etc/nsd_server.pem"
+	server-key-file: "/var/nsd-external/etc/nsd_server.key"
+	control-cert-file: "/var/nsd-external/etc/nsd_control.pem"
+	control-key-file: "/var/nsd/etc/nsd_control.key"
+
+zone:
+	name: "andreasbaumann.cc"
+	zonefile: "andreasbaumann.cc"
+	provide-xfr: 173.244.206.25 NOKEY
+	provide-xfr: 173.244.206.26 NOKEY
+	provide-xfr: 88.198.106.11 NOKEY
+
+zone:
+	name: "maschezuoz.ch"
+	zonefile: "maschezuoz.ch"
+	provide-xfr: 173.244.206.25 NOKEY
+	provide-xfr: 173.244.206.26 NOKEY
+	provide-xfr: 88.198.106.11 NOKEY
+
+zone:
+	name: "bikecentum.com"
+	zonefile: "bikecentum.com"
+	provide-xfr: 173.244.206.25 NOKEY
+	provide-xfr: 173.244.206.26 NOKEY
+	provide-xfr: 88.198.106.11 NOKEY
diff --git a/config/obr/nsd/db/.gitkeep b/config/obr/nsd-external/run/xfr/.gitkeep
index e69de29..e69de29 100644
--- a/config/obr/nsd/db/.gitkeep
+++ b/config/obr/nsd-external/run/xfr/.gitkeep
diff --git a/config/obr/nsd/zones/andreasbaumann.cc-external b/config/obr/nsd-external/zones/andreasbaumann.cc
index 5bc48db..5bc48db 100644
--- a/config/obr/nsd/zones/andreasbaumann.cc-external
+++ b/config/obr/nsd-external/zones/andreasbaumann.cc
diff --git a/config/obr/nsd/zones/bikecentum.com-external b/config/obr/nsd-external/zones/bikecentum.com
index 50175f3..50175f3 100644
--- a/config/obr/nsd/zones/bikecentum.com-external
+++ b/config/obr/nsd-external/zones/bikecentum.com
diff --git a/config/obr/nsd/zones/maschezuoz.ch-external b/config/obr/nsd-external/zones/maschezuoz.ch
index 3efa1a3..3efa1a3 100644
--- a/config/obr/nsd/zones/maschezuoz.ch-external
+++ b/config/obr/nsd-external/zones/maschezuoz.ch
diff --git a/config/obr/nsd/run/.gitkeep b/config/obr/nsd-internal/db/.gitkeep
index e69de29..e69de29 100644
--- a/config/obr/nsd/run/.gitkeep
+++ b/config/obr/nsd-internal/db/.gitkeep
diff --git a/config/obr/nsd-internal/etc/nsd.conf b/config/obr/nsd-internal/etc/nsd.conf
new file mode 100644
index 0000000..87d4add
--- /dev/null
+++ b/config/obr/nsd-internal/etc/nsd.conf
@@ -0,0 +1,45 @@
+# $OpenBSD: nsd.conf,v 1.11 2015/04/12 11:49:39 sthen Exp $
+
+server:
+	hide-version: yes
+	verbosity: 1
+	ip-address: 127.0.0.1@8053
+	chroot: "/var/nsd-internal"
+	zonesdir: "/var/nsd-internal/zones"
+	pidfile: "/var/nsd-internal/run/nsd.pid"
+	xfrdfile: "/var/nsd-internal/run/xfrd.state"
+	xfrdir: "/var/nsd-internal/run/xfr"
+	zonelistfile: "/var/nsd-internal/db/zone.list"
+	database: ""
+
+remote-control:
+	control-enable: yes
+	control-interface: 127.0.0.1
+	server-cert-file: "/var/nsd-internal/etc/nsd_server.pem"
+	server-key-file: "/var/nsd-internal/etc/nsd_server.key"
+	control-cert-file: "/var/nsd-internal/etc/nsd_control.pem"
+	control-key-file: "/var/nsd/etc/nsd_control.key"
+
+zone:
+	name: "lan"
+	zonefile: "lan"
+
+zone:
+	name: "1.168.192.in-addr.arpa"
+	zonefile: "1.168.192.in-addr"
+
+zone:
+	name: "andreasbaumann.cc"
+	zonefile: "andreasbaumann.cc"
+
+zone:
+	name: "maschezuoz.ch"
+	zonefile: "maschezuoz.ch"
+
+zone:
+	name: "bikecentum.com"
+	zonefile: "bikecentum.com"
+
+zone:
+	name: "project-strus.net"
+	zonefile: "project-strus.net"
diff --git a/config/obr/nsd/run/xfr/.gitkeep b/config/obr/nsd-internal/run/xfr/.gitkeep
index e69de29..e69de29 100644
--- a/config/obr/nsd/run/xfr/.gitkeep
+++ b/config/obr/nsd-internal/run/xfr/.gitkeep
diff --git a/config/obr/nsd/zones/1.168.192.in-addr b/config/obr/nsd-internal/zones/1.168.192.in-addr
index b70945c..b70945c 100644
--- a/config/obr/nsd/zones/1.168.192.in-addr
+++ b/config/obr/nsd-internal/zones/1.168.192.in-addr
diff --git a/config/obr/nsd/zones/andreasbaumann.cc-internal b/config/obr/nsd-internal/zones/andreasbaumann.cc
index d76a5af..d76a5af 100644
--- a/config/obr/nsd/zones/andreasbaumann.cc-internal
+++ b/config/obr/nsd-internal/zones/andreasbaumann.cc
diff --git a/config/obr/nsd/zones/bikecentum.com-internal b/config/obr/nsd-internal/zones/bikecentum.com
index f954b63..f954b63 100644
--- a/config/obr/nsd/zones/bikecentum.com-internal
+++ b/config/obr/nsd-internal/zones/bikecentum.com
diff --git a/config/obr/nsd/zones/lan b/config/obr/nsd-internal/zones/lan
index b0d12b6..b0d12b6 100644
--- a/config/obr/nsd/zones/lan
+++ b/config/obr/nsd-internal/zones/lan
diff --git a/config/obr/nsd/zones/maschezuoz.ch-internal b/config/obr/nsd-internal/zones/maschezuoz.ch
index cc10a70..cc10a70 100644
--- a/config/obr/nsd/zones/maschezuoz.ch-internal
+++ b/config/obr/nsd-internal/zones/maschezuoz.ch
diff --git a/config/obr/nsd/zones/project-strus.net-internal b/config/obr/nsd-internal/zones/project-strus.net
index edce576..edce576 100644
--- a/config/obr/nsd/zones/project-strus.net-internal
+++ b/config/obr/nsd-internal/zones/project-strus.net
diff --git a/config/obr/nsd/etc/nsd.conf b/config/obr/nsd/etc/nsd.conf
deleted file mode 100644
index c16a481..0000000
--- a/config/obr/nsd/etc/nsd.conf
+++ /dev/null
@@ -1,33 +0,0 @@
-# $OpenBSD: nsd.conf,v 1.11 2015/04/12 11:49:39 sthen Exp $
-
-server:
-	hide-version: yes
-	verbosity: 1
-	ip-address: 127.0.0.1@8053
-
-remote-control:
-	control-enable: yes
-
-zone:
-	name: "lan"
-	zonefile: "lan"
-
-zone:
-	name: "1.168.192.in-addr.arpa"
-	zonefile: "1.168.192.in-addr"
-
-zone:
-	name: "andreasbaumann.cc"
-	zonefile: "andreasbaumann.cc-internal"
-
-zone:
-	name: "maschezuoz.ch"
-	zonefile: "maschezuoz.ch-internal"
-
-zone:
-	name: "bikecentum.com"
-	zonefile: "bikecentum.com-internal"
-
-zone:
-	name: "project-strus.net"
-	zonefile: "project-strus.net-internal"
diff --git a/config/obr/nsd/zones/.gitkeep b/config/obr/nsd/zones/.gitkeep
deleted file mode 100644
index e69de29..0000000
--- a/config/obr/nsd/zones/.gitkeep
+++ /dev/null
diff --git a/config/obr/pf.conf b/config/obr/pf.conf
index 3882898..60d7075 100644
--- a/config/obr/pf.conf
+++ b/config/obr/pf.conf
@@ -20,9 +20,6 @@ euroweb = 192.168.1.15
 # our own networks
 table <intNetworks> const { 192.168.1.0/24 }
 
-# buddyns.org external public DNS servers
-BuddyNsDns = "{ 173.244.206.26, 88.198.106.11 }"
-
 # default rule, block all
 block all
 
@@ -59,9 +56,9 @@ pass in inet proto icmp all icmp-type echoreq
 # allow DHCP from IWay
 pass in quick on $ext_if proto udp from port 67 to port 68
 
-# allow DNS requests from buddyns.org
-pass in quick on $ext_if proto tcp from $BuddyNsDns to port 53
-pass in quick on $ext_if proto udp from $BuddyNsDns to port 53
+# allow DNS requests
+pass in quick on $ext_if proto tcp from any to port 53
+pass in quick on $ext_if proto udp from any to port 53
 
 # sanitize traffic from unknown or illegal sources on the external interface
 #block in quick on $ext_if from no-route to any
diff --git a/config/obr/rc.services b/config/obr/rc.services
index 20b08ef..f65c1b5 100644
--- a/config/obr/rc.services
+++ b/config/obr/rc.services
@@ -1,8 +1,11 @@
 echo nsd: starting authorative name server..
-cp -R /etc/nsd /tmp/var/nsd
-chown -R root:_nsd /tmp/var/nsd/{db,etc,run}
-chmod 0770 /tmp/var/nsd/{db,run,run/xfr}
-/usr/sbin/nsd
+for view in internal external; do
+	cp -R /etc/nsd-$view /tmp/var/nsd-$view
+	chown -R root:_nsd /tmp/var/nsd-$view/{db,etc,run}
+	chmod 0770 /tmp/var/nsd-$view/{db,run,run/xfr}
+done
+/usr/sbin/nsd -c /var/nsd-internal/etc/nsd.conf
+/usr/sbin/nsd -c /var/nsd-external/etc/nsd.conf
 
 echo unbound: starting DNS resolver..
 cp -R /etc/unbound /tmp/var/unbound
author	Andreas Baumann <mail@andreasbaumann.cc>	2016-01-24 17:25:14 +0100
committer	Andreas Baumann <mail@andreasbaumann.cc>	2016-01-24 17:25:14 +0100
commit	2509dfb2b4455536649fc9e3090f602fc1d3d21e (patch)
tree	6c47da261b2ba466f6b4a4f01b49c0f5d5c32d93 /config
parent	0f0878e6820f8fd04fa4f06290e6ed2f061ed6e9 (diff)
download	OpenBSD-firewall-2509dfb2b4455536649fc9e3090f602fc1d3d21e.tar.gz OpenBSD-firewall-2509dfb2b4455536649fc9e3090f602fc1d3d21e.tar.bz2