| # unbound templates/unbound.conf.j2 - {{ ansible_managed }} |
| # docs: https://www.nlnetlabs.nl/documentation/unbound/unbound.conf |
| {# |
| SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org> |
| SPDX-License-Identifier: Apache-2.0 |
| #} |
| |
| # general config |
| server: |
| port: 53 |
| do-ip4: yes |
| do-ip6: no |
| do-udp: yes |
| do-tcp: yes |
| |
| # logging |
| verbosity: 1 |
| |
| # caching overrides |
| # Cache SERVFAIL for less time (normally 900s) |
| infra-host-ttl: 10 |
| {% if ansible_distribution_version != "18.04" %} |
| # keep probing failed hosts, in case of network issues |
| infra-keep-probing: yes |
| {% endif %} |
| # Maximum TTL on NXDOMAIN queries (normally set by upstream) |
| cache-max-negative-ttl: 60 |
| |
| # RFC7816 query name minimization |
| qname-minimisation: yes |
| |
| # access control |
| {% if unbound_allow_all %} |
| # allow queries from everywhere |
| access-control: 0.0.0.0/0 allow |
| {% else %} |
| # allow queries from localhost |
| access-control: 127.0.0.0/24 allow |
| {% if unbound_allow_ips %} |
| # listen on specific IPs |
| {% for ip in unbound_allow_ips %} |
| access-control: {{ ip }} allow |
| {% endfor %} |
| {% endif %} |
| {% endif %} |
| |
| # listening interfaces |
| {% if unbound_listen_default %} |
| # listen on default IPv4 Address |
| interface: {{ ansible_default_ipv4.address }} |
| |
| {% endif %} |
| {% if unbound_listen_ips %} |
| # listen on specific IPs |
| {% for ip in unbound_listen_ips %} |
| interface: {{ ip | ipaddr('address') }} |
| {% endfor %} |
| |
| {% endif %} |
| # disable DNS-over-HTTP (DoH) as it breaks split horizon |
| # https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https |
| # https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet |
| local-zone: "use-application-dns.net" always_nxdomain |
| |
| {% if dns_reverse_zones %} |
| # allow reverse queries for RFC1918 addresses, per dns_reverse_zones |
| {% for key, value in dns_reverse_zones.items() %} |
| local-zone: "{{ key | ipaddr('network') | unbound_revdns }}" nodefault |
| {% endfor %} |
| {% endif %} |
| {% if unbound_reverse_zones %} |
| # allow reverse queries for RFC1918 addresses, per unbound_reverse_zones |
| {% for urz in unbound_reverse_zones %} |
| local-zone: "{{ urz | ipaddr('network') | unbound_revdns }}" nodefault |
| {% endfor %} |
| {% endif %} |
| |
| # allow unbound to query localhost, where authoritative DNS might be listening |
| do-not-query-localhost: no |
| |
| # zone definitions |
| {% if dns_reverse_zones %} |
| # reverse zones created by dns_reverse_zones |
| {% for key, value in dns_reverse_zones.items() %} |
| stub-zone: |
| name: "{{ key | ipaddr('network') | unbound_revdns }}" |
| stub-addr: {{ unbound_authoritative_server_ip }} |
| |
| {% endfor %} |
| {% endif %} |
| {% if dns_forward_zones %} |
| # forward zones created by dns_forward_zones |
| {% for key, value in dns_forward_zones.items() %} |
| stub-zone: |
| name: "{{ key }}" |
| stub-addr: {{ unbound_authoritative_server_ip }} |
| |
| {% endfor %} |
| {% endif %} |
| |
| {% if unbound_forward_zones %} |
| # Forward zones created by: unbound_forward_zones |
| {% for fz in unbound_forward_zones %} |
| forward-zone: |
| name: "{{ fz.name | default('.') }}" |
| {% for fza in fz.servers %} |
| forward-addr: {{ fza }} |
| {% endfor %} |
| {% endfor %} |
| {% endif %} |