Blame - roles/dns-unbound/templates/unbound.conf.j2 - platform-install

blob: 59c44e94b93b67a18d03f1c2bdcae764473e7d7f [file] [log] [blame]

Matteo Scandolo	3896c47	2017-08-01 13:31:42 -0700	[diff] [blame]	1
				2	{#
				3	Copyright 2017-present Open Networking Foundation
				4
				5	Licensed under the Apache License, Version 2.0 (the "License");
				6	you may not use this file except in compliance with the License.
				7	You may obtain a copy of the License at
				8
				9	http://www.apache.org/licenses/LICENSE-2.0
				10
				11	Unless required by applicable law or agreed to in writing, software
				12	distributed under the License is distributed on an "AS IS" BASIS,
				13	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				14	See the License for the specific language governing permissions and
				15	limitations under the License.
				16	#}
				17
				18
Zack Williams	99adf6b	2016-03-14 17:01:08 -0700	[diff] [blame]	19	# unbound.conf (configured by Ansible)
				20
				21	server:
Zack Williams	c59b6b2	2016-04-11 12:49:10 -0700	[diff] [blame]	22	{% if unbound_listen_on_default %}
				23	interface: {{ ansible_default_ipv4.address }}
				24	{% endif %}
				25	{% if unbound_interfaces is defined %}
				26	{% for cidr_ipv4 in unbound_interfaces %}
Zack Williams	99adf6b	2016-03-14 17:01:08 -0700	[diff] [blame]	27	interface: {{ cidr_ipv4 \| ipaddr('address') }}
Zack Williams	c59b6b2	2016-04-11 12:49:10 -0700	[diff] [blame]	28	{% endfor %}
				29	{% endif %}
Zack Williams	99adf6b	2016-03-14 17:01:08 -0700	[diff] [blame]	30	verbosity: 1
				31	port: 53
				32	do-ip4: yes
				33	do-udp: yes
				34	do-tcp: yes
				35
				36	# allow from localhost
				37	access-control: 127.0.0.0/24 allow
				38
Zack Williams	ba5549c	2017-03-25 15:04:45 -0700	[diff] [blame]	39	{% if unbound_listen_all %}
				40	# allow from everywhere
				41	access-control: 0.0.0.0/0 allow
				42	{% endif %}
				43
Zack Williams	c59b6b2	2016-04-11 12:49:10 -0700	[diff] [blame]	44	{% if unbound_listen_on_default %}
				45	# allow from default interfaces
				46	access-control: {{ ansible_default_ipv4.address }}/{{ (ansible_default_ipv4.address ~ "/" ~ ansible_default_ipv4.netmask) \| ipaddr('prefix') }} allow
				47	{% endif %}
				48
				49	{% if unbound_interfaces is defined %}
Zack Williams	99adf6b	2016-03-14 17:01:08 -0700	[diff] [blame]	50	# allow from local networks
Zack Williams	c59b6b2	2016-04-11 12:49:10 -0700	[diff] [blame]	51	{% for cidr_ipv4 in unbound_interfaces %}
Zack Williams	ba5549c	2017-03-25 15:04:45 -0700	[diff] [blame]	52	access-control: {{ cidr_ipv4 \| ipaddr('0') }} allow
Zack Williams	c59b6b2	2016-04-11 12:49:10 -0700	[diff] [blame]	53	{% endfor %}
				54	{% endif %}
Zack Williams	99adf6b	2016-03-14 17:01:08 -0700	[diff] [blame]	55
				56	{% if nsd_zones is defined %}
				57	# allow unbound to query localhost, where nsd is listening
				58	do-not-query-localhost: no
				59
				60	# allow reverse queries for RFC1918 addresses
				61	{% for zone in nsd_zones %}
				62	local-zone: "{{ zone.name_reverse_unbound }}." nodefault
				63	{% endfor %}
				64
				65	# stub-zones zones that nsd is serving
				66	{% for zone in nsd_zones %}
				67	stub-zone:
				68	name: "{{ zone.name }}"
				69	stub-addr: {{ nsd_ip \| default("127.0.0.1") }}
				70
				71	stub-zone:
				72	name: "{{ zone.name_reverse_unbound }}."
				73	stub-addr: {{ nsd_ip \| default("127.0.0.1") }}
				74
				75	{% endfor %}
				76	{% endif %}
				77