From 84313601efdf9cfc838626f9b7572ad7f893cfde Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Fri, 4 Sep 2020 20:47:48 -0500
Subject: [PATCH] roles/named: Implement response policy zones

BIND response policy zones (RPZ) support provides a mechanism for
overriding the responses to DNS queries based on a wide range of
criteria.  In the simplest form, a response policy zone can be used to
provide different responses to different clients, or "block" some DNS
names.

For the Pyrocufflink and related networks, I plan to use an RPZ to
implement ad/tracker blocking.  The goal will be to generate an RPZ
definition from a collection of host lists (e.g. those used by uBlock
Origin) periodically.

This commit introduces basic support for RPZ configuration in the
*named* role.  It can be activated by providing a list of "response
policy" definitions (e.g. `zone "name"`) in the `named_response_policy`
variable, and defining the corresponding zones in `named_zones`.
---
 group_vars/pyrocufflink-dns.yml      | 4 +++-
 host_vars/dns0.pyrocufflink.blue.yml | 4 ++++
 roles/named/tasks/main.yml           | 2 +-
 roles/named/templates/named.conf.j2  | 8 ++++++++
 4 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/group_vars/pyrocufflink-dns.yml b/group_vars/pyrocufflink-dns.yml
index a27e72a..3d7312f 100644
--- a/group_vars/pyrocufflink-dns.yml
+++ b/group_vars/pyrocufflink-dns.yml
@@ -7,6 +7,8 @@ named_listen_v6:
 named_allow_query:
 - any
 named_dnssec_validation: false
+named_response_policy:
+- zone "blackhole.rpz"
 
 pyrocufflink_common_zones:
 - zone: pyrocufflink.blue
@@ -58,4 +60,4 @@ pyrocufflink_common_zones:
   - 192.168.20.146
   - 192.168.20.147
 
-named_zones: '{{ pyrocufflink_red_zones + pyrocufflink_common_zones }}'
+named_zones: '{{ pyrocufflink_red_zones + pyrocufflink_common_zones + rpz_zones }}'
diff --git a/host_vars/dns0.pyrocufflink.blue.yml b/host_vars/dns0.pyrocufflink.blue.yml
index ad026f7..f66d01a 100644
--- a/host_vars/dns0.pyrocufflink.blue.yml
+++ b/host_vars/dns0.pyrocufflink.blue.yml
@@ -18,6 +18,10 @@ pyrocufflink_red_zones:
   - '{ !{ !localhost; any; }; key local-ddns; }'
   ttl: 30
 
+rpz_zones:
+- zone: blackhole.rpz
+  type: master
+
 named_keys:
 - name: dhcp-ddns
   algorithm: hmac-md5
diff --git a/roles/named/tasks/main.yml b/roles/named/tasks/main.yml
index 52c46f4..cd0bcc7 100644
--- a/roles/named/tasks/main.yml
+++ b/roles/named/tasks/main.yml
@@ -35,7 +35,7 @@
 - name: ensure zone files exist
   template:
     src: zone.j2
-    dest: /var/named/dynamic/{{ item.zone }}.zone
+    dest: /var/named/{{ item.zone_file|d('dynamic/' + item.zone + '.zone') }}
     mode: '0640'
     owner: root
     group: named
diff --git a/roles/named/templates/named.conf.j2 b/roles/named/templates/named.conf.j2
index 0240a12..951fc6f 100644
--- a/roles/named/templates/named.conf.j2
+++ b/roles/named/templates/named.conf.j2
@@ -58,6 +58,14 @@ options {
 
 	tkey-gssapi-keytab "{{ named_keytab }}";
 {% endif %}
+{% if named_response_policy|d %}
+
+	response-policy {
+{% for policy in named_response_policy %}
+		{{ policy }};
+{% endfor %}
+	};
+{% endif %}
 
 {% for path in named_options_include %}
 	include "{{ path }}";