· 7 years ago · Jul 11, 2018, 07:30 PM
1$ORIGIN .
2$TTL 60 ; 1 minute
3proxy.example.com IN SOA ns4.example.com. (
4 20180711 ; serial
5 60 ; refresh (1 minute)
6 120 ; retry (2 minutes)
7 60 ; expire (1 minute)
8 60 ; minimum (1 minute)
9 )
10NS ns1.example.com.
11NS ns4.example.com.
12$ORIGIN proxy.example.com.
13$TTL 14400 ; 4 hours
14587-gc2 A 172.XX.XX.26
15
16Outgoing update query:
17;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 17693
18;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
19;; ZONE SECTION:
20;proxy.example.com. IN SOA
21
22;; UPDATE SECTION:
23587.proxy.example.com. 60 IN A 172.XX.XX.XX
24
25;; TSIG PSEUDOSECTION:
26keyname. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1531335476 300 16 TSIGSECRET 17693 NOERROR 0
27
28Reply from update query:
29;; ->>HEADER<<- opcode: UPDATE, status: SERVFAIL, id: 17693
30;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
31;; ZONE SECTION:
32;proxy.example.com. IN SOA
33;; TSIG PSEUDOSECTION:
34SECRETKEY. 0 ANY TSIG hmac-md5.sig-alg.reg.int. 1531335476 300 16 TSIGSECRET 17693 NOERROR 0
35
36#!/usr/bin/php
37<?php
38/*
39 * This script can be passed to --learn-address of the openvpn server, it will
40 * update the local bind9 server whenever an ip address is passed
41 */
42// Bind9 server to update
43define("NS_ADDR", "127.0.0.1");
44// Domain to prepend common name to
45define("DOMAIN", "proxy.example.com");
46// nsupdate bin
47define("NSUPDATE", "/usr/bin/nsupdate");
48// Temp path
49define("TMP_PATH", "/tmp/");
50// Private key path
51define("PRIVATE_KEY", "SECRETKEY:SECRETHASH");
52// Debug
53define("DEBUG", true);
54function failWithError($error) {
55 syslog(LOG_ERR, $error);
56 exit(1);
57}
58function addRecordWithIP($record, $ip) {
59 $domain = $record.".".DOMAIN;
60 $filepath = TMP_PATH."/". __FUNCTION__."_" .rand(900, 999);
61 $fh = fopen($filepath, "w");
62 fwrite($fh, "server ".NS_ADDR."n");
63 fwrite($fh, "debug ".(DEBUG?'yes':'no')."n");
64 fwrite($fh, "zone ".DOMAIN."n");
65 fwrite($fh, "update add {$domain} 60 A {$ip}n");
66 fwrite($fh, "sendn");
67 fclose($fh);
68 $output = [];
69 exec(NSUPDATE." -y ".PRIVATE_KEY." -D -v ".escapeshellarg($filepath).(DEBUG?"":" 2>&1 > /dev/null"), $output);
70 if (DEBUG) {
71 syslog(LOG_ERR, print_r($output, true));
72 }
73 // clean up
74 unlink($filepath);
75}
76function removeRecord($record) {
77 $domain = $record.".".DOMAIN;
78 $filepath = TMP_PATH."/". __FUNCTION__."_" .rand(900, 999);
79 $fh = fopen($filepath, "w");
80 fwrite($fh, "server ".NS_ADDR."n");
81 fwrite($fh, "debug ".(DEBUG?'yes':'no')."n");
82 fwrite($fh, "zone ".DOMAIN."n");
83 fwrite($fh, "update delete {$domain}n");
84 fwrite($fh, "sendn");
85 fclose($fh);
86 $output = [];
87 exec(NSUPDATE." -y ".PRIVATE_KEY." -v ".escapeshellarg($filepath).(DEBUG?"":" 2>&1 > /dev/null"), $output);
88 if (DEBUG) {
89 syslog(LOG_ERR, print_r($output, true));
90 }
91 // clean up
92 unlink($filepath);
93}
94if ($argc < 3) {
95 failWithError("Incorrect number of params");
96}
97$slashpos = strpos($argv[2], "/");
98if ($slashpos !== false) {
99 // Remove subnet from ip
100 $argv[2] = substr($argv[2], $slashpos);
101}
102if (inet_pton($argv[2]) === false) {
103 failWithError("{$argv[2]} is not a valid ip address");
104}
105switch($argv[1]) {
106 case "update":
107 case "add":
108 if (isset($argv[3])) {
109 removeRecord($argv[3]);
110 addRecordWithIP($argv[3], $argv[2]);
111 }
112 break;
113 case "remove":
114 // Since openvpn only provides the ip on this request we cannot remove the
115 break;
116}
117// Success
118exit(0);
119
120include "/etc/bind/named.conf.log";
121acl vpnnets { 172.XX.XX.XX/16; 192.168.3.0/24; };
122acl ourservers { SERVERIP; };
123key dhcpupdate {
124 algorithm hmac-md5;
125 secret "SECRETHASH";
126};
127view "vpn" {
128 match-clients { vpnnets;ourservers; };
129 recursion yes;
130 zone "proxy.example.com" {
131 type master;
132 file "/var/cache/bind/db.vpn";
133 allow-update { key SECRETKEY;};
134 };
135include "/etc/bind/named.conf.default-zones-vpn";
136 allow-query { vpnnets;ourservers;any; };
137 allow-query-cache { vpnnets;ourservers; };
138 allow-recursion { vpnnets;ourservers; };
139};
140view "external" {
141 match-clients {any;};
142 recursion yes;
143 zone "proxy.example.com" {
144 type master;
145 file "/var/cache/bind/db.vpn-external";
146 allow-update { key SECRETKEY;};
147
148 };
149};
150
151# This file is managed by man:systemd-resolved(8). Do not edit.
152#
153# This is a dynamic resolv.conf file for connecting local clients directly to
154# all known uplink DNS servers. This file lists all configured search domains.
155#
156# Third party programs must not access this file directly, but only through the
157# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
158# replace this symlink by a static file or a different symlink.
159#
160# See man:systemd-resolved.service(8) for details about the supported modes of
161# operation for /etc/resolv.conf.
162nameserver 172.XX.XX.1
163nameserver 169.254.169.254
164search c.GOOGLEPROJECT.internal google.internal