roles/named: Implement response policy zones

BIND response policy zones (RPZ) support provides a mechanism for overriding the responses to DNS queries based on a wide range of criteria. In the simplest form, a response policy zone can be used to provide different responses to different clients, or "block" some DNS names. For the Pyrocufflink and related networks, I plan to use an RPZ to implement ad/tracker blocking. The goal will be to generate an RPZ definition from a collection of host lists (e.g. those used by uBlock Origin) periodically. This commit introduces basic support for RPZ configuration in the *named* role. It can be activated by providing a list of "response policy" definitions (e.g. `zone "name"`) in the `named_response_policy` variable, and defining the corresponding zones in `named_zones`.
2020-09-04 20:47:48 -05:00 · 2020-09-04 20:47:48 -05:00 · 84313601ef
parent 44404950c1
commit 84313601ef
4 changed files with 16 additions and 2 deletions
--- a/group_vars/pyrocufflink-dns.yml
+++ b/group_vars/pyrocufflink-dns.yml
@ -7,6 +7,8 @@ named_listen_v6:
 named_allow_query:
 - any
 named_dnssec_validation: false
+named_response_policy:
+- zone "blackhole.rpz"

 pyrocufflink_common_zones:
 - zone: pyrocufflink.blue
@ -58,4 +60,4 @@ pyrocufflink_common_zones:
  - 192.168.20.146
  - 192.168.20.147

-named_zones: '{{ pyrocufflink_red_zones + pyrocufflink_common_zones }}'
+named_zones: '{{ pyrocufflink_red_zones + pyrocufflink_common_zones + rpz_zones }}'
--- a/host_vars/dns0.pyrocufflink.blue.yml
+++ b/host_vars/dns0.pyrocufflink.blue.yml
@ -18,6 +18,10 @@ pyrocufflink_red_zones:
  - '{ !{ !localhost; any; }; key local-ddns; }'
  ttl: 30

+rpz_zones:
+- zone: blackhole.rpz
+  type: master
+
 named_keys:
 - name: dhcp-ddns
  algorithm: hmac-md5
--- a/roles/named/tasks/main.yml
+++ b/roles/named/tasks/main.yml
@ -35,7 +35,7 @@
 - name: ensure zone files exist
  template:
    src: zone.j2
-    dest: /var/named/dynamic/{{ item.zone }}.zone
+    dest: /var/named/{{ item.zone_file|d('dynamic/' + item.zone + '.zone') }}
    mode: '0640'
    owner: root
    group: named
--- a/roles/named/templates/named.conf.j2
+++ b/roles/named/templates/named.conf.j2
@ -58,6 +58,14 @@ options {

 	tkey-gssapi-keytab "{{ named_keytab }}";
 {% endif %}
+{% if named_response_policy|d %}
+
+	response-policy {
+{% for policy in named_response_policy %}
+		{{ policy }};
+{% endfor %}
+	};
+{% endif %}

 {% for path in named_options_include %}
 	include "{{ path }}";