roles/dns-unbound/templates/unbound.conf.j2

# created by dns-unbound/templates/unbound.conf.j2
{#
Copyright 2017-present Open Networking Foundation

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
#}

server:
{% if unbound_listen_on_default %}
  # created by unbound_listen_on_default
  interface: {{ ansible_default_ipv4.address }}
{% endif %}
{% if unbound_listen_zones %}
{% for zone in nsd_zones %}
  # created by nsd_zones: {{ zone.name }}
  interface: {{ zone.cidr | ipaddr('1') | ipaddr('address') }}
{% endfor %}
{% endif %}
  verbosity: 1
  port: 53
  do-ip4: yes
  do-ip6: no
  do-udp: yes
  do-tcp: yes

  # allow from localhost
  access-control: 127.0.0.0/24 allow

{% if unbound_listen_all %}
  # allow from everywhere
  access-control: 0.0.0.0/0 allow
{% endif %}

{% if nsd_zones %}
  # allow from networks defined in zones
{% for zone in nsd_zones %}
  access-control: {{ zone.cidr | ipaddr('0') }} allow
{% endfor %}

# allow unbound to query localhost, where nsd is listening
do-not-query-localhost: no

# allow reverse queries for RFC1918 addresses
{% for zone in nsd_zones %}
local-zone: "{{ zone.cidr | unbound_revdns }}" nodefault
{% endfor %}

# stub-zones zones that nsd is serving
{% for zone in nsd_zones %}
stub-zone:
  name: "{{ zone.name }}"
  stub-addr: {{ nsd_ip }}

stub-zone:
  name: "{{ zone.cidr | unbound_revdns }}"
  stub-addr: {{ nsd_ip }}

{% endfor %}
{% endif %}