Gitiles
Code Review Sign In
gerrit.opencord.org / ansible / role / unbound / 142f2b57922196adf741c1057cf84359f6b5b8ab^! / . / templates / unbound.conf.j2
commit142f2b57922196adf741c1057cf84359f6b5b8ab[log] [tgz]
authorZack Williams <zdw@opennetworking.org>Sun Nov 22 19:35:44 2020 -0700
committerZack Williams <zdw@opennetworking.org>Mon Nov 23 10:16:02 2020 -0700
tree74df5ee14eb341f8e5353a85d5761acb8956f586
Initial commit of unbound role

Change-Id: I0a5f1517e7912d418b7994e17c856338e07a5ae0

diff --git a/templates/unbound.conf.j2 b/templates/unbound.conf.j2
new file mode 100644
index 0000000..28a537e
--- /dev/null
+++ b/templates/unbound.conf.j2

@@ -0,0 +1,88 @@
+# unbound templates/unbound.conf.j2 - {{ ansible_managed }}
+{#
+SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
+SPDX-License-Identifier: Apache-2.0
+#}
+
+# general config
+server:
+  port: 53
+  do-ip4: yes
+  do-ip6: no
+  do-udp: yes
+  do-tcp: yes
+
+  # logging
+  verbosity: 1
+
+  # RFC7816 query name minimization
+  qname-minimisation: yes
+
+  # access control
+{% if unbound_allow_all %}
+  # allow queries from everywhere
+  access-control: 0.0.0.0/0 allow
+{% else %}
+  # allow queries from localhost
+  access-control: 127.0.0.0/24 allow
+{% if unbound_allow_zone_ips and dns_zones %}
+  # allow from networks defined in zones
+{% for key, value in dns_zones.items() %}
+  access-control: {{ value.ip_range }} allow
+{% endfor %}
+{% endif %}
+{% if unbound_allow_ips %}
+  # listen on specific IPs
+{% for ip in unbound_allow_ips %}
+  interface: {{ ip }} allow
+{% endfor %}
+{% endif %}
+{% endif %}
+
+  # listening interfaces
+{% if unbound_listen_default %}
+  # listen on default IPv4 Address
+  interface: {{ ansible_default_ipv4.address }}
+
+{% endif %}
+{% if unbound_listen_zone_ips and dns_zones %}
+{% for key, value in dns_zones.items() %}
+  # listen on IPs defined by dns_zones: {{ key }}
+  interface: {{ value.ip_range | ipaddr('next_usable') | ipaddr('address') }}
+{% endfor %}
+
+{% endif %}
+{% if unbound_listen_ips %}
+  # listen on specific IPs
+{% for ip in unbound_listen_ips %}
+  interface: {{ ip | ipaddr('address') }}
+{% endfor %}
+
+{% endif %}
+# allow unbound to query localhost, where authoritative DNS might be listening
+do-not-query-localhost: no
+
+# disable DNS-over-HTTP (DoH) as it breaks split horizon
+# https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
+# https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
+local-zone: "use-application-dns.net" always_nxdomain
+
+{% if dns_zones %}
+# allow reverse queries for RFC1918 addresses
+{% for key, value in dns_zones.items() %}
+local-zone: "{{ value.ip_range | unbound_revdns }}" nodefault
+
+{% endfor %}
+
+# stub-zones zones that authoritative DNS is serving
+{% for key, value in dns_zones.items() %}
+stub-zone:
+  name: "{{ key }}"
+  stub-addr: {{ unbound_authoritative_server_ip }}
+
+stub-zone:
+  name: "{{ value.ip_range | unbound_revdns }}"
+  stub-addr: {{ unbound_authoritative_server_ip }}
+
+{% endfor %}
+{% endif %}