commit ce738c3441a2b4a7802578b0a3794a5ab45ae516 Author: Raoul Date: Sat Mar 10 19:18:04 2018 +0100 Role for unbound dns resolver diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1 @@ +--- diff --git a/files/snippets/private-addresses.conf b/files/snippets/private-addresses.conf new file mode 100644 index 0000000..f164fab --- /dev/null +++ b/files/snippets/private-addresses.conf @@ -0,0 +1,31 @@ +server: + # Give IPv4 of IPv6 addresses or classless subnets. These are addresses on your private network, + # and are not allowed to be returned for public internet names. Any occurrence of such addresses + # are removed from DNS answers. Additionally, the DNSSEC validator may mark the answers bogus. + # This protects against so-called DNS Rebinding. + + # localhost + private-address: 127.0.0.0/8 + + # private IPv4 address spaces (rfc 1918) + private-address: 10.0.0.0/8 + private-address: 172.16.0.0/12 + private-address: 192.168.0.0/16 + + # carrier-grade NAT (rfc 6598) + private-address: 100.64.0.0/10 + + # link-local addresses + private-address: 169.254.0.0/16 + + # localhost + private-address: ::/128 + + # unique local addresses (rfc 4193) + private-address: fd00::/8 + + # link-local addresses (rfc 4862, 4291) + private-address: fe80::/10 + + # IPv4-mapped addresses (rfc 4291) + private-address: ::ffff:0:0/96 diff --git a/files/snippets/qname-minimisation.conf b/files/snippets/qname-minimisation.conf new file mode 100644 index 0000000..177bb78 --- /dev/null +++ b/files/snippets/qname-minimisation.conf @@ -0,0 +1,13 @@ +server: + # Send minimum amount of information to upstream servers to enhance + # privacy. Only sends minimum required labels of the QNAME and sets + # QTYPE to NS when possible. + + # See RFC 7816 "DNS Query Name Minimisation to Improve Privacy" for + # details. + + qname-minimisation: yes + + # Do not fall-back to sending full QNAME to potentially broken nameservers. + # A lot of domains will not be resolvable when this option in enabled. + #qname-minimisation-strict: yes diff --git a/files/snippets/root-auto-trust-anchor-file.conf b/files/snippets/root-auto-trust-anchor-file.conf new file mode 100644 index 0000000..c0cec38 --- /dev/null +++ b/files/snippets/root-auto-trust-anchor-file.conf @@ -0,0 +1,4 @@ +server: + # Perform cryptographic DNSSEC validation using the root trust anchor. + # File with trust anchor for one zone, which is tracked with RFC5011 probes. + auto-trust-anchor-file: "/var/lib/unbound/root.key" diff --git a/files/unbound.conf b/files/unbound.conf new file mode 100644 index 0000000..39a163c --- /dev/null +++ b/files/unbound.conf @@ -0,0 +1,21 @@ +include: "/etc/unbound/unbound.conf.d/*.conf" + +remote-control: + control-enable: no + +server: + # listen on local network, allow local network access + interface: 127.0.0.1 + interface: ::1 + access-control: 127.0.0.1 allow + access-control: ::1 allow + + chroot: "" + + # logging + log-time-ascii: yes + log-queries: no + verbosity: 1 + + hide-identity: yes + hide-version: yes diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..91239c1 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart unbound + service: + name: unbound + state: restarted diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..8d3cc9d --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,29 @@ +--- +- name: Install unbound + apt: + pkg: '{{ item }}' + state: 'latest' + update_cache: yes + cache_valid_time: 43200 + with_items: + - unbound + +- name: Copy unbound configuration snippets + copy: + src: '{{ item }}' + dest: '/etc/unbound/unbound.conf.d/' + owner: root + group: root + mode: 'u=rw,g=r,o=r' + with_fileglob: + - 'files/snippets/*.conf' + +- name: Copy main unbound configuration + copy: + src: 'unbound.conf' + dest: '/etc/unbound/unbound.conf' + owner: root + group: root + mode: 'u=rw,g=r,o=r' + notify: + - restart unbound