From 3ab8bcc34b9e31a3b7a1b0006e123adf290d81af Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 4 Jul 2026 22:15:43 +1000 Subject: [PATCH] Restrict authoritative queries to internal networks (#227) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Mirrors the puppet authoritative `master-zones` view (match-clients `acl-main.unkin.net`, recursion no) — restricting who can query bind-authoritative. ## Changes - add `auth-acl-main` BindACL with the puppet authoritative acl-main.unkin.net networks (13-17,19,20,24-29) - `allow-query { auth-acl-main; 10.42.0.0/16; }` on bind-authoritative via extraOptions ## Notes - Implemented as a global `allow-query` rather than a BindView: dynamic *primary* zones inside a view would need per-view `allow-new-zones` (an operator gap). Functionally equivalent for the single master-zones view. - `10.42.0.0/16` (pod network) is included so secondaries can SOA-refresh from the primary during catalog replication — without it, replication breaks. - Works on the current operator (no HOLD). ## Caveat The DNS Services use externalTrafficPolicy: Cluster, which SNATs external clients to node IPs (198.18.19.x, already in acl-main), so this ACL doesn't truly restrict *external* clients yet. True source-IP restriction needs externalTrafficPolicy: Local — happy to switch if wanted. Reviewed-on: https://git.unkin.net/unkin/argocd-apps/pulls/227 Co-authored-by: Ben Vincent Co-committed-by: Ben Vincent --- .../bind-internal/authoritative/acls.yaml | 26 +++++++++++++++++++ .../bind-internal/authoritative/cluster.yaml | 5 ++++ .../authoritative/kustomization.yaml | 1 + 3 files changed, 32 insertions(+) create mode 100644 apps/base/bind-internal/authoritative/acls.yaml diff --git a/apps/base/bind-internal/authoritative/acls.yaml b/apps/base/bind-internal/authoritative/acls.yaml new file mode 100644 index 0000000..d042b2a --- /dev/null +++ b/apps/base/bind-internal/authoritative/acls.yaml @@ -0,0 +1,26 @@ +--- +# Internal client networks allowed to query the authoritative servers, +# mirrored from the puppet authoritative /etc/named/acls.conf +# (acl-main.unkin.net). Named auth-acl-main because the resolver has its own, +# differently-scoped acl-main.unkin.net in the same namespace. +apiVersion: bind.unkin.net/v1alpha1 +kind: BindACL +metadata: + name: auth-acl-main + namespace: bind-internal +spec: + clusterRef: bind-authoritative + entries: + - 198.18.13.0/24 + - 198.18.14.0/24 + - 198.18.15.0/24 + - 198.18.16.0/24 + - 198.18.17.0/24 + - 198.18.19.0/24 + - 198.18.20.0/24 + - 198.18.24.0/24 + - 198.18.25.0/24 + - 198.18.26.0/24 + - 198.18.27.0/24 + - 198.18.28.0/24 + - 198.18.29.0/24 diff --git a/apps/base/bind-internal/authoritative/cluster.yaml b/apps/base/bind-internal/authoritative/cluster.yaml index 13307d3..ea08a66 100644 --- a/apps/base/bind-internal/authoritative/cluster.yaml +++ b/apps/base/bind-internal/authoritative/cluster.yaml @@ -11,6 +11,11 @@ spec: replicas: 3 storageClassName: cephrbd-fast-delete storageSize: 2Gi + # Restrict queries to internal networks (puppet acl-main.unkin.net). + # 10.42.0.0/16 (pod net) is required so secondaries can SOA-refresh + # from the primary during catalog replication. + extraOptions: + - "allow-query { auth-acl-main; 10.42.0.0/16; }" service: type: LoadBalancer annotations: diff --git a/apps/base/bind-internal/authoritative/kustomization.yaml b/apps/base/bind-internal/authoritative/kustomization.yaml index d69be1f..2116a01 100644 --- a/apps/base/bind-internal/authoritative/kustomization.yaml +++ b/apps/base/bind-internal/authoritative/kustomization.yaml @@ -6,3 +6,4 @@ resources: - cluster.yaml - tsigkey.yaml - zones.yaml + - acls.yaml