| Zack Williams | 142f2b5 | 2020-11-22 19:35:44 -0700 | [diff] [blame^] | 1 | # unbound templates/unbound.conf.j2 - {{ ansible_managed }} |
| 2 | {# |
| 3 | SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org> |
| 4 | SPDX-License-Identifier: Apache-2.0 |
| 5 | #} |
| 6 | |
| 7 | # general config |
| 8 | server: |
| 9 | port: 53 |
| 10 | do-ip4: yes |
| 11 | do-ip6: no |
| 12 | do-udp: yes |
| 13 | do-tcp: yes |
| 14 | |
| 15 | # logging |
| 16 | verbosity: 1 |
| 17 | |
| 18 | # RFC7816 query name minimization |
| 19 | qname-minimisation: yes |
| 20 | |
| 21 | # access control |
| 22 | {% if unbound_allow_all %} |
| 23 | # allow queries from everywhere |
| 24 | access-control: 0.0.0.0/0 allow |
| 25 | {% else %} |
| 26 | # allow queries from localhost |
| 27 | access-control: 127.0.0.0/24 allow |
| 28 | {% if unbound_allow_zone_ips and dns_zones %} |
| 29 | # allow from networks defined in zones |
| 30 | {% for key, value in dns_zones.items() %} |
| 31 | access-control: {{ value.ip_range }} allow |
| 32 | {% endfor %} |
| 33 | {% endif %} |
| 34 | {% if unbound_allow_ips %} |
| 35 | # listen on specific IPs |
| 36 | {% for ip in unbound_allow_ips %} |
| 37 | interface: {{ ip }} allow |
| 38 | {% endfor %} |
| 39 | {% endif %} |
| 40 | {% endif %} |
| 41 | |
| 42 | # listening interfaces |
| 43 | {% if unbound_listen_default %} |
| 44 | # listen on default IPv4 Address |
| 45 | interface: {{ ansible_default_ipv4.address }} |
| 46 | |
| 47 | {% endif %} |
| 48 | {% if unbound_listen_zone_ips and dns_zones %} |
| 49 | {% for key, value in dns_zones.items() %} |
| 50 | # listen on IPs defined by dns_zones: {{ key }} |
| 51 | interface: {{ value.ip_range | ipaddr('next_usable') | ipaddr('address') }} |
| 52 | {% endfor %} |
| 53 | |
| 54 | {% endif %} |
| 55 | {% if unbound_listen_ips %} |
| 56 | # listen on specific IPs |
| 57 | {% for ip in unbound_listen_ips %} |
| 58 | interface: {{ ip | ipaddr('address') }} |
| 59 | {% endfor %} |
| 60 | |
| 61 | {% endif %} |
| 62 | # allow unbound to query localhost, where authoritative DNS might be listening |
| 63 | do-not-query-localhost: no |
| 64 | |
| 65 | # disable DNS-over-HTTP (DoH) as it breaks split horizon |
| 66 | # https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https |
| 67 | # https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet |
| 68 | local-zone: "use-application-dns.net" always_nxdomain |
| 69 | |
| 70 | {% if dns_zones %} |
| 71 | # allow reverse queries for RFC1918 addresses |
| 72 | {% for key, value in dns_zones.items() %} |
| 73 | local-zone: "{{ value.ip_range | unbound_revdns }}" nodefault |
| 74 | |
| 75 | {% endfor %} |
| 76 | |
| 77 | # stub-zones zones that authoritative DNS is serving |
| 78 | {% for key, value in dns_zones.items() %} |
| 79 | stub-zone: |
| 80 | name: "{{ key }}" |
| 81 | stub-addr: {{ unbound_authoritative_server_ip }} |
| 82 | |
| 83 | stub-zone: |
| 84 | name: "{{ value.ip_range | unbound_revdns }}" |
| 85 | stub-addr: {{ unbound_authoritative_server_ip }} |
| 86 | |
| 87 | {% endfor %} |
| 88 | {% endif %} |