Greetings.

I'd like to request a freeze break to allow our unbound instances to
serve recursive dns to our private cloud instances. They need an
external dns server to do this and I think it's safer to let unbound do
this than our bind servers.

Changes consist of enabling udp and port 53 on the unbound instances,
then setting a firewall that only allows the external ip's of the
private cloud to access them. We could expand this to more machines
later if we find the need.

+1s?

kevin
--
diff --git a/modules/unbound/files/unbound.conf b/modules/unbound/files/unbound.conf
index 3b73a2c..76f0fc7 100644
--- a/modules/unbound/files/unbound.conf
+++ b/modules/unbound/files/unbound.conf
@@ -46,6 +46,7 @@ server:
#interface: 0.0.0.0@53
interface: 0.0.0.0@80
interface: 0.0.0.0@443
+ interface: 0.0.0.0@53

# enable this feature to copy the source address of queries to reply.
# Socket options are not supported on all platforms. experimental.
@@ -153,7 +154,7 @@ server:

# Enable UDP, "yes" or "no".
# avoids this open resolver from becoming target for DNS Amplification
- do-udp: no
+ do-udp: yes

# Enable TCP, "yes" or "no".
# do-tcp: yes
diff --git a/modules/unbound/manifests/init.pp b/modules/unbound/manifests/init.pp
index bbe8e9b..a19a3a5 100644
--- a/modules/unbound/manifests/init.pp
+++ b/modules/unbound/manifests/init.pp
@@ -1,7 +1,11 @@
class unbound::server {

iptables::firewall { 'ipv4':
- tcpPorts => [ 80, 443 ]
+ tcpPorts => [ 80, 443 ],
+ custom => [
+ '-A INPUT -p tcp -m tcp -s 209.132.184.0/24 --dport 53 -j ACCEPT',
+ '-A INPUT -p udp -m udp -s 209.132.184.0/24 --dport 53 -j ACCEPT',
+ ],
}

semanage_modify_port { "80":
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure