unbound. More options, support the 'private-address' and 'private-domain' directives.

2020-06-12 16:01:35 +02:00 · 2020-06-12 16:01:35 +02:00 · 39b1aca883
parent 6670669002
commit 39b1aca883
3 changed files with 28 additions and 1 deletions
--- a/library/roles/unbound-resolver/defaults/main.yml
+++ b/library/roles/unbound-resolver/defaults/main.yml
@ -32,6 +32,8 @@ unbound_num_queries_per_thread: 4096

 unbound_max_negative_ttl: 3600

+unbound_private_addresses: []
+unbound_private_domains: []
 # Stub zones
 # One of stub_host or stub_addr must be defined
 # stub_prime and stub_first are both optional, default 'yes'
--- a/library/roles/unbound-resolver/tasks/main.yml
+++ b/library/roles/unbound-resolver/tasks/main.yml
@ -1,7 +1,7 @@
 ---
 - block:
  - name: Install the unbound resolver packages
-    apt: pkg={{ unbound_pkgs }} state=latest cache_valid_time=1800 update_cache=yes
+    apt: pkg={{ unbound_pkgs }} state=present cache_valid_time=1800 update_cache=yes

  - name: Install the unbound config files
    template: src={{ item }} dest=/etc/unbound/unbound.conf.d/{{ item }}
@ -9,6 +9,7 @@
      - unbound-server.conf
      - unbound-remote-control.conf
    notify: Restart unbound
+    tags: [ 'unbound', 'unbound_conf' ]
  
  - name: On bionic, stop systemd-resolvd because it interferes
    service: name=systemd-resolved state=stopped enabled=no
--- a/library/roles/unbound-resolver/templates/unbound-server.conf
+++ b/library/roles/unbound-resolver/templates/unbound-server.conf
@ -40,11 +40,35 @@ server:
        # with libevent
        outgoing-range: {{ unbound_outgoing_range }}
        num-queries-per-thread:  {{ unbound_num_queries_per_thread }}
+        hide-identity: yes
+        hide-version: yes
+        harden-short-bufsize: yes
+        harden-large-queries: yes
+        harden-glue: yes
+        harden-dnssec-stripped: yes
+        harden-below-nxdomain: yes
+        harden-algo-downgrade: yes
+        qname-minimisation: yes
+        use-caps-for-id: yes
+        unwanted-reply-threshold: 10000
+        do-not-query-localhost: no
+        prefetch: yes
+        rrset-roundrobin: yes
+        minimal-responses: yes
+        val-clean-additional: yes
+        #
 {% if ansible_service_mgr == 'systemd' %}
        use-systemd: yes
        do-daemonize: no
 {% endif %}

+{% for cidr in unbound_private_addresses %}
+        private-address: {{ cidr }}
+{% endfor %}
+{% for dom in unbound_private_domains %}
+        private-domain: {{ dom }}
+{% endfor %}
+
 {% if unbound_stub_zones is defined %}
 {% for zone in unbound_stub_zones %}
 stub-zone: