ansible/roles/unbound/templates/recursive.conf.j2

# {{ ansible_managed }}

server:
    # Timestamps use UTC ASCII instead of UNIX epoch.
    log-time-ascii: yes

    # Only log errors.
    verbosity: 0
    log-servfail: yes

    logfile: "/var/log/unbound/unbound.log"

    do-ip4: yes
    do-ip6: yes

    # IP addresses on which to listen.
    #
    # Note: dns_host_suffix is dynamically set in this role's tasks,
    # and changes depending on whether we're handling the main or backup
    # recursive DNS node.
    
    # IPv4
    interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }}
    interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }}
    interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }}
    interface: 10.{{ subnet_ids.users_accueil }}.0.{{ dns_host_suffix }}


    # IPv6
    interface: {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::0:{{ dns_host_suffix }}
    interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:{{ dns_host_suffix }}
    interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:{{ dns_host_suffix }}
    interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_accueil }}::0:{{ dns_host_suffix }}

 
    # By default, anything other than localhost is refused.
    # Whitelist some subnets:
    access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow
    access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow
    access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow
    access-control: 10.{{ subnet_ids.users_accueil }}.0.0/16 allow
    access-control: {{ ipv6_base_prefix }}::/32 allow # Fuck it... :)

    num-threads: {{ ansible_processor_vcpus }}

    private-address: 10.0.0.0/8

    # The host cache TTL affects blacklisting of supposedly bogus hosts.
    # The default was 900 (15 minutes).
    infra-host-ttl: 60


    # The following is vital, we were having issues
    # with DNSSEC that turned out to be due to UDP responses that were too
    # large.

    # EDNS reassembly buffer to advertise to UDP peers (the actual buffer
    # is set with msg-buffer-size). 1472 can solve fragmentation (timeouts)
    edns-buffer-size: {{ mtu }}

    # Maximum UDP response size (not applied to TCP response).
    # Suggested values are 512 to 4096. Default is 4096. 65536 disables it.
    max-udp-size: {{ mtu }}
unbound: log to /var/log/unbound.log, errors only 2020-04-18 15:42:31 +02:00			`# {{ ansible_managed }}`

unbound: initial deployment 2020-04-13 16:35:09 +02:00			`server:`
unbound: remove unchecked configuration keys 2020-04-13 18:24:45 +02:00			`# Timestamps use UTC ASCII instead of UNIX epoch.`
unbound: initial deployment 2020-04-13 16:35:09 +02:00			`log-time-ascii: yes`
unbound: remove unchecked configuration keys 2020-04-13 18:24:45 +02:00
unbound: log to /var/log/unbound.log, errors only 2020-04-18 15:42:31 +02:00			`# Only log errors.`
unbound: drop verbosity but log SERVFAILs TODO: less frequent log rotation because of decreased log volume 2020-05-02 18:06:58 +02:00			`verbosity: 0`
			`log-servfail: yes`
unbound: log to /var/log/unbound.log, errors only 2020-04-18 15:42:31 +02:00
unbound: smarter logging - stop using journald, write to /var/log/unbound/ - set up frequent log rotation for the huge log files we are producing 2020-05-02 16:49:33 +02:00			`logfile: "/var/log/unbound/unbound.log"`
unbound: log to journalctl 2020-04-18 16:23:57 +02:00
unbound: remove unchecked configuration keys 2020-04-13 18:24:45 +02:00			`do-ip4: yes`
update unbound role for IPv6 2020-08-01 14:32:02 +02:00			`do-ip6: yes`
unbound: remove unchecked configuration keys 2020-04-13 18:24:45 +02:00
unbound: initial deployment 2020-04-13 16:35:09 +02:00			`# IP addresses on which to listen.`
update unbound role for IPv6 2020-08-01 14:32:02 +02:00			`#`
			`# Note: dns_host_suffix is dynamically set in this role's tasks,`
			`# and changes depending on whether we're handling the main or backup`
			`# recursive DNS node.`

			`# IPv4`
unbound: initial deployment 2020-04-13 16:35:09 +02:00			`interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }}`
			`interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }}`
			`interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }}`
Resolve DNS for the accueil vlan Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-01-24 01:30:31 +01:00			`interface: 10.{{ subnet_ids.users_accueil }}.0.{{ dns_host_suffix }}`
unbound: initial deployment 2020-04-13 16:35:09 +02:00
update unbound role for IPv6 2020-08-01 14:32:02 +02:00
			`# IPv6`
			`interface: {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::0:{{ dns_host_suffix }}`
			`interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:{{ dns_host_suffix }}`
			`interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:{{ dns_host_suffix }}`
Resolve DNS for the accueil vlan Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-01-24 01:30:31 +01:00			`interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_accueil }}::0:{{ dns_host_suffix }}`
update unbound role for IPv6 2020-08-01 14:32:02 +02:00
unbound: initial deployment 2020-04-13 16:35:09 +02:00
			`# By default, anything other than localhost is refused.`
			`# Whitelist some subnets:`
			`access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow`
			`access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow`
			`access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow`
Resolve DNS for the accueil vlan Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-01-24 01:30:31 +01:00			`access-control: 10.{{ subnet_ids.users_accueil }}.0.0/16 allow`
roll out (private) IPv6 on George Sand 2020-08-01 17:48:39 +02:00			`access-control: {{ ipv6_base_prefix }}::/32 allow # Fuck it... :)`
unbound: initial deployment 2020-04-13 16:35:09 +02:00
			`num-threads: {{ ansible_processor_vcpus }}`

			`private-address: 10.0.0.0/8`
unbound: attempt to fix spurious blacklisting 2020-04-28 23:14:43 +02:00
			`# The host cache TTL affects blacklisting of supposedly bogus hosts.`
			`# The default was 900 (15 minutes).`
			`infra-host-ttl: 60`


unbound: fix MTU settings That was the root cause of all our DNSSEC issues. Now that this was fixed, we're not having these anymore, so the relaxed checks can be restored back to their original state. 2020-05-02 18:44:17 +02:00			`# The following is vital, we were having issues`
			`# with DNSSEC that turned out to be due to UDP responses that were too`
			`# large.`
unbound: attempt to fix spurious blacklisting 2020-04-28 23:14:43 +02:00
unbound: fix MTU settings That was the root cause of all our DNSSEC issues. Now that this was fixed, we're not having these anymore, so the relaxed checks can be restored back to their original state. 2020-05-02 18:44:17 +02:00			`# EDNS reassembly buffer to advertise to UDP peers (the actual buffer`
			`# is set with msg-buffer-size). 1472 can solve fragmentation (timeouts)`
			`edns-buffer-size: {{ mtu }}`
unbound: attempt to fix spurious blacklisting 2020-04-28 23:14:43 +02:00
unbound: fix MTU settings That was the root cause of all our DNSSEC issues. Now that this was fixed, we're not having these anymore, so the relaxed checks can be restored back to their original state. 2020-05-02 18:44:17 +02:00			`# Maximum UDP response size (not applied to TCP response).`
			`# Suggested values are 512 to 4096. Default is 4096. 65536 disables it.`
			`max-udp-size: {{ mtu }}`