# {{ ansible_managed }} server: # Timestamps use UTC ASCII instead of UNIX epoch. log-time-ascii: yes # Only log errors. verbosity: 0 log-servfail: yes logfile: "/var/log/unbound/unbound.log" do-ip4: yes do-ip6: yes # IP addresses on which to listen. # # Note: dns_host_suffix is dynamically set in this role's tasks, # and changes depending on whether we're handling the main or backup # recursive DNS node. # IPv4 interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }} interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }} interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }} # IPv6 interface: {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::0:{{ dns_host_suffix }} interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:{{ dns_host_suffix }} interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:{{ dns_host_suffix }} # By default, anything other than localhost is refused. # Whitelist some subnets: access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow access-control: {{ ipv6_base_prefix }}::/32 allow # Fuck it... :) num-threads: {{ ansible_processor_vcpus }} private-address: 10.0.0.0/8 # The host cache TTL affects blacklisting of supposedly bogus hosts. # The default was 900 (15 minutes). infra-host-ttl: 60 # The following is vital, we were having issues # with DNSSEC that turned out to be due to UDP responses that were too # large. # EDNS reassembly buffer to advertise to UDP peers (the actual buffer # is set with msg-buffer-size). 1472 can solve fragmentation (timeouts) edns-buffer-size: {{ mtu }} # Maximum UDP response size (not applied to TCP response). # Suggested values are 512 to 4096. Default is 4096. 65536 disables it. max-udp-size: {{ mtu }}