Add support for forward/reverse DNS range split
- Allow for explicit reverse RFC1918 lookups with unbound_reverse_zones
- Add tests, similar to NSD ones
- Wait for network to be online before starting (fixes AETHER-1041)
- Multiplatform support
Change-Id: I385aec6f766b45a9db595d2f8af5ed8fe0dde2ca
diff --git a/templates/unbound.conf.j2 b/templates/unbound.conf.j2
index dd23b95..d6b3feb 100644
--- a/templates/unbound.conf.j2
+++ b/templates/unbound.conf.j2
@@ -25,9 +25,9 @@
{% else %}
# allow queries from localhost
access-control: 127.0.0.0/24 allow
-{% if unbound_allow_zone_ips and dns_zones %}
+{% if unbound_allow_zone_ips and dns_forward_zones %}
# allow from networks defined in zones
-{% for key, value in dns_zones.items() %}
+{% for key, value in dns_forward_zones.items() %}
access-control: {{ value.ip_range }} allow
{% endfor %}
{% endif %}
@@ -45,51 +45,66 @@
interface: {{ ansible_default_ipv4.address }}
{% endif %}
-{% if unbound_listen_zone_ips and dns_zones %}
-{% for key, value in dns_zones.items() %}
+{% if unbound_listen_zone_ips and dns_forward_zones %}
+{% for key, value in dns_forward_zones.items() %}
{% set if_ip = value.ip_range | ipaddr('next_usable') | ipaddr('address') %}
{% if if_ip in ansible_all_ipv4_addresses %}
- # listen on IPs defined by dns_zones: {{ key }}
+ # listen on IPs defined by dns_forward_zones: {{ key }}
interface: {{ if_ip }}
+
{% endif %}
{% endfor %}
-
{% endif %}
{% if unbound_listen_ips %}
# listen on specific IPs
{% for ip in unbound_listen_ips %}
interface: {{ ip | ipaddr('address') }}
-{% endfor %}
+{% endfor %}
{% endif %}
+ # disable DNS-over-HTTP (DoH) as it breaks split horizon
+ # https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
+ # https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
+ local-zone: "use-application-dns.net" always_nxdomain
+
+{% if dns_reverse_zones %}
+ # allow reverse queries for RFC1918 addresses, per dns_reverse_zones
+ {% for key, value in dns_reverse_zones.items() %}
+ local-zone: "{{ key | ipaddr('network') | unbound_revdns }}" nodefault
+ {% endfor %}
+{% endif %}
+{% if unbound_reverse_zones %}
+ # allow reverse queries for RFC1918 addresses, per unbound_reverse_zones
+ {% for urz in unbound_reverse_zones %}
+ local-zone: "{{ urz | ipaddr('network') | unbound_revdns }}" nodefault
+ {% endfor %}
+{% endif %}
+
# allow unbound to query localhost, where authoritative DNS might be listening
do-not-query-localhost: no
-# disable DNS-over-HTTP (DoH) as it breaks split horizon
-# https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
-# https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
-local-zone: "use-application-dns.net" always_nxdomain
-
-{% if dns_zones %}
-# allow reverse queries for RFC1918 addresses
-{% for key, value in dns_zones.items() %}
-local-zone: "{{ value.ip_range | unbound_revdns }}" nodefault
+# zone definitions
+{% if dns_reverse_zones %}
+# reverse zones created by dns_reverse_zones
+{% for key, value in dns_reverse_zones.items() %}
+stub-zone:
+ name: "{{ key | ipaddr('network') | unbound_revdns }}"
+ stub-addr: {{ unbound_authoritative_server_ip }}
{% endfor %}
-
-# stub-zones zones that authoritative DNS is serving
-{% for key, value in dns_zones.items() %}
+{% endif %}
+{% if dns_forward_zones %}
+# forward zones created by dns_forward_zones
+{% for key, value in dns_forward_zones.items() %}
stub-zone:
name: "{{ key }}"
stub-addr: {{ unbound_authoritative_server_ip }}
-stub-zone:
- name: "{{ value.ip_range | unbound_revdns }}"
- stub-addr: {{ unbound_authoritative_server_ip }}
-
{% endfor %}
{% endif %}
+
{% if unbound_forward_zones %}
+# Forward zones created by: unbound_forward_zones
{% for fz in unbound_forward_zones %}
forward-zone:
name: "{{ fz.name | default('.') }}"
@@ -97,5 +112,4 @@
forward-addr: {{ fza }}
{% endfor %}
{% endfor %}
-
{% endif %}