ansible/roles/unbound/templates/recursive.conf.j2
Yohann D'ANELLO 5a09b77070
Resolve DNS for the accueil vlan
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
2021-02-05 20:38:49 +01:00

63 lines
2.2 KiB
Django/Jinja

# {{ ansible_managed }}
server:
# Timestamps use UTC ASCII instead of UNIX epoch.
log-time-ascii: yes
# Only log errors.
verbosity: 0
log-servfail: yes
logfile: "/var/log/unbound/unbound.log"
do-ip4: yes
do-ip6: yes
# IP addresses on which to listen.
#
# Note: dns_host_suffix is dynamically set in this role's tasks,
# and changes depending on whether we're handling the main or backup
# recursive DNS node.
# IPv4
interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }}
interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }}
interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }}
interface: 10.{{ subnet_ids.users_accueil }}.0.{{ dns_host_suffix }}
# IPv6
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::0:{{ dns_host_suffix }}
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:{{ dns_host_suffix }}
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:{{ dns_host_suffix }}
interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_accueil }}::0:{{ dns_host_suffix }}
# By default, anything other than localhost is refused.
# Whitelist some subnets:
access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow
access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow
access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow
access-control: 10.{{ subnet_ids.users_accueil }}.0.0/16 allow
access-control: {{ ipv6_base_prefix }}::/32 allow # Fuck it... :)
num-threads: {{ ansible_processor_vcpus }}
private-address: 10.0.0.0/8
# The host cache TTL affects blacklisting of supposedly bogus hosts.
# The default was 900 (15 minutes).
infra-host-ttl: 60
# The following is vital, we were having issues
# with DNSSEC that turned out to be due to UDP responses that were too
# large.
# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
# is set with msg-buffer-size). 1472 can solve fragmentation (timeouts)
edns-buffer-size: {{ mtu }}
# Maximum UDP response size (not applied to TCP response).
# Suggested values are 512 to 4096. Default is 4096. 65536 disables it.
max-udp-size: {{ mtu }}