templates/unbound.conf.j2

# unbound templates/unbound.conf.j2 - {{ ansible_managed }}
# docs: https://www.nlnetlabs.nl/documentation/unbound/unbound.conf
{#
SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
SPDX-License-Identifier: Apache-2.0
#}

# general config
server:
  port: 53
  do-ip4: yes
  do-ip6: no
  do-udp: yes
  do-tcp: yes

  # logging
  verbosity: 1

  # caching overrides
  # Cache SERVFAIL for less time (normally 900s)
  infra-host-ttl: 10
{% if ansible_distribution_version != "18.04" %}
  # keep probing failed hosts, in case of network issues
  infra-keep-probing: yes
{% endif %}
  # Maximum TTL on NXDOMAIN queries (normally set by upstream)
  cache-max-negative-ttl: 60

  # RFC7816 query name minimization
  qname-minimisation: yes

  # access control
{% if unbound_allow_all %}
  # allow queries from everywhere
  access-control: 0.0.0.0/0 allow
{% else %}
  # allow queries from localhost
  access-control: 127.0.0.0/24 allow
{% if unbound_allow_ips %}
  # listen on specific IPs
{% for ip in unbound_allow_ips %}
  access-control: {{ ip }} allow
{% endfor %}
{% endif %}
{% endif %}

  # listening interfaces
{% if unbound_listen_default %}
  # listen on default IPv4 Address
  interface: {{ ansible_default_ipv4.address }}

{% endif %}
{% if unbound_listen_ips %}
  # listen on specific IPs
{% for ip in unbound_listen_ips %}
  interface: {{ ip | ipaddr('address') }}
{% endfor %}

{% endif %}
  # disable DNS-over-HTTP (DoH) as it breaks split horizon
  # https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
  # https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
  local-zone: "use-application-dns.net" always_nxdomain

{% if dns_reverse_zones %}
  # allow reverse queries for RFC1918 addresses, per dns_reverse_zones
  {% for key, value in dns_reverse_zones.items() %}
  local-zone: "{{ key | ipaddr('network') | unbound_revdns }}" nodefault
  {% endfor %}
{% endif %}
{% if unbound_reverse_zones %}
  # allow reverse queries for RFC1918 addresses, per unbound_reverse_zones
  {% for urz in unbound_reverse_zones %}
  local-zone: "{{ urz | ipaddr('network') | unbound_revdns }}" nodefault
  {% endfor %}
{% endif %}

# allow unbound to query localhost, where authoritative DNS might be listening
do-not-query-localhost: no

# zone definitions
{% if dns_reverse_zones %}
# reverse zones created by dns_reverse_zones
{% for key, value in dns_reverse_zones.items() %}
stub-zone:
  name: "{{ key | ipaddr('network') | unbound_revdns }}"
  stub-addr: {{ unbound_authoritative_server_ip }}

{% endfor %}
{% endif %}
{% if dns_forward_zones %}
# forward zones created by dns_forward_zones
{% for key, value in dns_forward_zones.items() %}
stub-zone:
  name: "{{ key }}"
  stub-addr: {{ unbound_authoritative_server_ip }}

{% endfor %}
{% endif %}

{% if unbound_forward_zones %}
# Forward zones created by: unbound_forward_zones
{% for fz in unbound_forward_zones %}
forward-zone:
  name: "{{ fz.name | default('.') }}"
{% for fza in fz.servers %}
  forward-addr: {{ fza }}
{% endfor %}
{% endfor %}
{% endif %}