diff --git a/library/roles/unbound-resolver/defaults/main.yml b/library/roles/unbound-resolver/defaults/main.yml index 00eb531..7987ae2 100644 --- a/library/roles/unbound-resolver/defaults/main.yml +++ b/library/roles/unbound-resolver/defaults/main.yml @@ -32,6 +32,8 @@ unbound_num_queries_per_thread: 4096 unbound_max_negative_ttl: 3600 +unbound_private_addresses: [] +unbound_private_domains: [] # Stub zones # One of stub_host or stub_addr must be defined # stub_prime and stub_first are both optional, default 'yes' diff --git a/library/roles/unbound-resolver/tasks/main.yml b/library/roles/unbound-resolver/tasks/main.yml index d41a2b1..daa192c 100644 --- a/library/roles/unbound-resolver/tasks/main.yml +++ b/library/roles/unbound-resolver/tasks/main.yml @@ -1,7 +1,7 @@ --- - block: - name: Install the unbound resolver packages - apt: pkg={{ unbound_pkgs }} state=latest cache_valid_time=1800 update_cache=yes + apt: pkg={{ unbound_pkgs }} state=present cache_valid_time=1800 update_cache=yes - name: Install the unbound config files template: src={{ item }} dest=/etc/unbound/unbound.conf.d/{{ item }} @@ -9,6 +9,7 @@ - unbound-server.conf - unbound-remote-control.conf notify: Restart unbound + tags: [ 'unbound', 'unbound_conf' ] - name: On bionic, stop systemd-resolvd because it interferes service: name=systemd-resolved state=stopped enabled=no diff --git a/library/roles/unbound-resolver/templates/unbound-server.conf b/library/roles/unbound-resolver/templates/unbound-server.conf index 251d453..910cf0f 100644 --- a/library/roles/unbound-resolver/templates/unbound-server.conf +++ b/library/roles/unbound-resolver/templates/unbound-server.conf @@ -40,11 +40,35 @@ server: # with libevent outgoing-range: {{ unbound_outgoing_range }} num-queries-per-thread: {{ unbound_num_queries_per_thread }} + hide-identity: yes + hide-version: yes + harden-short-bufsize: yes + harden-large-queries: yes + harden-glue: yes + harden-dnssec-stripped: yes + harden-below-nxdomain: yes + harden-algo-downgrade: yes + qname-minimisation: yes + use-caps-for-id: yes + unwanted-reply-threshold: 10000 + do-not-query-localhost: no + prefetch: yes + rrset-roundrobin: yes + minimal-responses: yes + val-clean-additional: yes + # {% if ansible_service_mgr == 'systemd' %} use-systemd: yes do-daemonize: no {% endif %} +{% for cidr in unbound_private_addresses %} + private-address: {{ cidr }} +{% endfor %} +{% for dom in unbound_private_domains %} + private-domain: {{ dom }} +{% endfor %} + {% if unbound_stub_zones is defined %} {% for zone in unbound_stub_zones %} stub-zone: