Gitiles
Code Review Sign In
gerrit.opencord.org / ansible / role / unbound / 8296e474a88b27deac1f8ec491fb04f576004588 / . / templates / unbound.conf.j2
blob: d6b3feb8a419273dfea17276adef31018bbcdd4c [file] [log] [blame]
Zack Williams142f2b52020-11-22 19:35:44 -0700[diff] [blame]1# unbound templates/unbound.conf.j2 - {{ ansible_managed }}
2{#
3SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
4SPDX-License-Identifier: Apache-2.0
5#}
6
7# general config
8server:
9 port: 53
10 do-ip4: yes
11 do-ip6: no
12 do-udp: yes
13 do-tcp: yes
14
15 # logging
16 verbosity: 1
17
18 # RFC7816 query name minimization
19 qname-minimisation: yes
20
21 # access control
22{% if unbound_allow_all %}
23 # allow queries from everywhere
24 access-control: 0.0.0.0/0 allow
25{% else %}
26 # allow queries from localhost
27 access-control: 127.0.0.0/24 allow
Zack Williams8296e472021-03-23 21:13:07 -0700[diff] [blame^]28{% if unbound_allow_zone_ips and dns_forward_zones %}
Zack Williams142f2b52020-11-22 19:35:44 -0700[diff] [blame]29 # allow from networks defined in zones
Zack Williams8296e472021-03-23 21:13:07 -0700[diff] [blame^]30{% for key, value in dns_forward_zones.items() %}
Zack Williams142f2b52020-11-22 19:35:44 -0700[diff] [blame]31 access-control: {{ value.ip_range }} allow
32{% endfor %}
33{% endif %}
34{% if unbound_allow_ips %}
35 # listen on specific IPs
36{% for ip in unbound_allow_ips %}
37 interface: {{ ip }} allow
38{% endfor %}
39{% endif %}
40{% endif %}
41
42 # listening interfaces
43{% if unbound_listen_default %}
44 # listen on default IPv4 Address
45 interface: {{ ansible_default_ipv4.address }}
46
47{% endif %}
Zack Williams8296e472021-03-23 21:13:07 -0700[diff] [blame^]48{% if unbound_listen_zone_ips and dns_forward_zones %}
49{% for key, value in dns_forward_zones.items() %}
Zack Williams176c1242020-11-30 23:04:13 -0700[diff] [blame]50{% set if_ip = value.ip_range | ipaddr('next_usable') | ipaddr('address') %}
51{% if if_ip in ansible_all_ipv4_addresses %}
Zack Williams8296e472021-03-23 21:13:07 -0700[diff] [blame^]52 # listen on IPs defined by dns_forward_zones: {{ key }}
Zack Williams176c1242020-11-30 23:04:13 -0700[diff] [blame]53 interface: {{ if_ip }}
Zack Williams8296e472021-03-23 21:13:07 -0700[diff] [blame^]54
Zack Williams176c1242020-11-30 23:04:13 -0700[diff] [blame]55{% endif %}
Zack Williams142f2b52020-11-22 19:35:44 -0700[diff] [blame]56{% endfor %}
Zack Williams142f2b52020-11-22 19:35:44 -0700[diff] [blame]57{% endif %}
58{% if unbound_listen_ips %}
59 # listen on specific IPs
60{% for ip in unbound_listen_ips %}
61 interface: {{ ip | ipaddr('address') }}
Zack Williams142f2b52020-11-22 19:35:44 -0700[diff] [blame]62
Zack Williams8296e472021-03-23 21:13:07 -0700[diff] [blame^]63{% endfor %}
Zack Williams142f2b52020-11-22 19:35:44 -0700[diff] [blame]64{% endif %}
Zack Williams8296e472021-03-23 21:13:07 -0700[diff] [blame^]65 # disable DNS-over-HTTP (DoH) as it breaks split horizon
66 # https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
67 # https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
68 local-zone: "use-application-dns.net" always_nxdomain
69
70{% if dns_reverse_zones %}
71 # allow reverse queries for RFC1918 addresses, per dns_reverse_zones
72 {% for key, value in dns_reverse_zones.items() %}
73 local-zone: "{{ key | ipaddr('network') | unbound_revdns }}" nodefault
74 {% endfor %}
75{% endif %}
76{% if unbound_reverse_zones %}
77 # allow reverse queries for RFC1918 addresses, per unbound_reverse_zones
78 {% for urz in unbound_reverse_zones %}
79 local-zone: "{{ urz | ipaddr('network') | unbound_revdns }}" nodefault
80 {% endfor %}
81{% endif %}
82
Zack Williams142f2b52020-11-22 19:35:44 -0700[diff] [blame]83# allow unbound to query localhost, where authoritative DNS might be listening
84do-not-query-localhost: no
85
Zack Williams8296e472021-03-23 21:13:07 -0700[diff] [blame^]86# zone definitions
87{% if dns_reverse_zones %}
88# reverse zones created by dns_reverse_zones
89{% for key, value in dns_reverse_zones.items() %}
90stub-zone:
91 name: "{{ key | ipaddr('network') | unbound_revdns }}"
92 stub-addr: {{ unbound_authoritative_server_ip }}
Zack Williams142f2b52020-11-22 19:35:44 -0700[diff] [blame]93
94{% endfor %}
Zack Williams8296e472021-03-23 21:13:07 -0700[diff] [blame^]95{% endif %}
96{% if dns_forward_zones %}
97# forward zones created by dns_forward_zones
98{% for key, value in dns_forward_zones.items() %}
Zack Williams142f2b52020-11-22 19:35:44 -0700[diff] [blame]99stub-zone:
100 name: "{{ key }}"
101 stub-addr: {{ unbound_authoritative_server_ip }}
102
Zack Williams142f2b52020-11-22 19:35:44 -0700[diff] [blame]103{% endfor %}
104{% endif %}
Zack Williams8296e472021-03-23 21:13:07 -0700[diff] [blame^]105
Zack Williamsa1c89742020-12-14 11:01:57 -0700[diff] [blame]106{% if unbound_forward_zones %}
Zack Williams8296e472021-03-23 21:13:07 -0700[diff] [blame^]107# Forward zones created by: unbound_forward_zones
Zack Williamsa1c89742020-12-14 11:01:57 -0700[diff] [blame]108{% for fz in unbound_forward_zones %}
109forward-zone:
110 name: "{{ fz.name | default('.') }}"
111{% for fza in fz.servers %}
112 forward-addr: {{ fza }}
113{% endfor %}
114{% endfor %}
Zack Williamsa1c89742020-12-14 11:01:57 -0700[diff] [blame]115{% endif %}