diff options
author | Aaron LI <aly@aaronly.me> | 2018-02-21 11:51:44 +0800 |
---|---|---|
committer | Aaron LI <aly@aaronly.me> | 2018-02-21 11:51:44 +0800 |
commit | bc59213a33e609f177093a8e955f44b3999c8b56 (patch) | |
tree | 9a1e3af3bdb40d72b5bb8f9f2e6ed82632d44435 /roles/dns | |
parent | 5cc888e1c9384ae4f0a6f71718ab2acc97c0269d (diff) | |
download | ansible-dfly-vps-bc59213a33e609f177093a8e955f44b3999c8b56.tar.bz2 |
Add role dns to setup unbound service
Diffstat (limited to 'roles/dns')
-rw-r--r-- | roles/dns/files/resolv.conf | 13 | ||||
-rw-r--r-- | roles/dns/files/unbound.conf | 165 | ||||
-rw-r--r-- | roles/dns/tasks/main.yml | 35 |
3 files changed, 213 insertions, 0 deletions
diff --git a/roles/dns/files/resolv.conf b/roles/dns/files/resolv.conf new file mode 100644 index 0000000..9c9a0be --- /dev/null +++ b/roles/dns/files/resolv.conf @@ -0,0 +1,13 @@ +# +# /etc/resolv.conf +# DragonFly BSD +# +# Aaron LI +# + +# Increase timeout to 30 seconds (default: 5 seconds) +options timeout:30 + +# Local DNS (recursive resolver) by "unbound" +nameserver 127.0.0.1 +#nameserver ::1 diff --git a/roles/dns/files/unbound.conf b/roles/dns/files/unbound.conf new file mode 100644 index 0000000..18e3ae6 --- /dev/null +++ b/roles/dns/files/unbound.conf @@ -0,0 +1,165 @@ +# +# /usr/local/etc/unbound/unbound.conf +# See unbound.conf(5) +# +# References +# ---------- +# [1] Unbound setting up a secure local DNS server +# https://superuser.com/a/1123357/731908 +# [2] Unbound DNS Server Tutorial +# https://calomel.org/unbound_dns.html +# [3] How to enable DNSSEC +# https://www.unbound.net/documentation/howto_anchor.html +# [4] List of Public DNS Servers +# https://wiki.ipfire.org/dns/public-servers +# +# +# Aaron LI +# + +# NOTE: +# Configure `unbound` to be a recursive DNS resolver with local cache, +# instead of forwarding the queries to an upstream DNS resolver (e.g., +# DNS.WATCH, Google Public DNS), in order to work well with the DNSBL +# services (e.g., spamhaus.org) used by Postfix. + +server: + # Specify the interfaces to answer queries from by ip-address. + # The default is to listen to localhost (127.0.0.1 and ::1). + # Specify 0.0.0.0 and ::0 to bind to all available interfaces. + # Specify every interface[@port] on a new 'interface:' labelled line. + # The listen interfaces are not changed on reload, only on restart. + interface: 127.0.0.1 + interface: ::1 + + # Control which clients are allowed to make (recursive) queries + # to this server. Specify classless netblocks with /size and action. + # By default everything is refused, except for localhost. + # + # Actions: + # * deny (drop message) + # * refuse (polite error reply) + # * allow (recursive ok) + # * allow_snoop (recursive and nonrecursive ok), e.g., "dig +trace" + # * deny_non_local (drop queries unless can be answered from local-data) + # * refuse_non_local (like deny_non_local but polite error reply) + # + # access-control: 0.0.0.0/0 refuse + # access-control: 127.0.0.0/8 allow + # access-control: ::0/0 refuse + # access-control: ::1 allow + # access-control: ::ffff:127.0.0.1 allow + # + access-control: 127.0.0.0/8 allow_snoop + access-control: ::1 allow_snoop + + # Print statistics to the log (for every thread) every N seconds. + # Set to "" or 0 to disable. Default is disabled. + statistics-interval: 7200 + + # Enable or disable whether IPv4 queries are answered or issued. + # Default: yes + do-ip4: yes + + # Enable or disable whether IPv6 queries are answered or issued. + do-ip6: yes + + # Whether prefer IPv6 transport for sending queries? + # Default: no + #prefer-ip6: no + + # Enable or disable whether UDP queries are answered or issued. + # Default: yes + do-udp: yes + + # Enable or disable whether TCP queries are answered or issued. + # Default: yes + do-tcp: yes + + # Enable to not answer id.server and hostname.bind queries. + hide-identity: yes + + # Enable to not answer version.server and version.bind queries. + hide-version: yes + + # Enable to not answer trustanchor.unbound queries. + hide-trustanchor: yes + + # Harden against out of zone RRsets, to avoid spoofing attempts. + harden-glue: yes + + # Harden against receiving dnssec-stripped data. If you turn it + # off, failing to validate dnskey data for a trustanchor will + # trigger insecure mode for that zone (like without a trustanchor). + # Default on, which insists on dnssec data for trust-anchored zones. + harden-dnssec-stripped: yes + + # Sent minimum amount of information to upstream servers to enhance + # privacy. Only sent minimum required labels of the QNAME and set + # QTYPE to NS when possible. + qname-minimisation: yes + + # Use 0x20-encoded random bits in the query to foil spoof attempts. + # This feature is an experimental implementation of draft dns-0x20. + use-caps-for-id: yes + + # File to read root hints from. Default is using the builtin hints + # for the IN class, which may become outdated, so it is good practice + # to use a root-hints file. + # get one from https://www.internic.net/domain/named.cache + root-hints: "/usr/local/etc/unbound/root.hints" + + # File with trusted keys used to perform DNSSEC validation, and Unbound + # must be able to read and write it, to keep it up to date with the + # latest key(s). + # + # NOTE: `unbound-anchor` tool provides an initial anchor from bultin + # values, but for real trust you should check this thoroughly! + auto-trust-anchor-file: "/usr/local/etc/unbound/root.key" + + # Verbosity level of the validator to log failed validations. + # Default: 0 (i.e., off). 1: A line per failed user query. + # 2: With reason and bad IP. + val-log-level: 1 + + # Verbosity level: 0 (least verbose) -> 5 (very verbose). + # Default: 1 (operational info). + verbosity: 1 + + # The log file, "" means log to stderr. + # NOTE: set the below "use-syslog" to "no" when to use this option. + logfile: "/usr/local/etc/unbound/unbound.log" + + # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to + # NOTE: will override the above "logfile" option if enabled. + #use-syslog: no + use-syslog: yes + + +# WARNING: +# It is a *bad* idea to use a public or shared DNS resolver (e.g., Google +# Public DNS, ISP's DNS) to query DNS-based Blocklists (DNSBLs, e.g., +# spamhaus.org, spamcop.net; see also https://www.dnsbl.info/), because +# most if not all DNSBL providers apply a *rate limit* (or white/black list) +# based on the DNS resolver that is used to query their service! +# +# Credits: +# * Mailcow - Why unbound? +# https://mailcow.github.io/mailcow-dockerized-docs/u_e-why_unbound/ +# * Spamhaus - FAQ +# https://www.spamhaus.org/faq/section/DNSBL%20Usage#261 +# +#forward-zone: +# # Forward all requested queries not fulfilled by this server to the root +# # root domain (`.`). +# # +# # NOTE: Use DNSSEC-supported DNS servers from +# # https://wiki.ipfire.org/dns/public-servers +# # +# name: "." +# forward-addr: 84.200.69.80 # DNS.WATCH (DE), primary +# forward-addr: 2001:1608:10:25::1c04:b12f # DNS.WATCH (DE), primary +# forward-addr: 84.200.70.40 # DNS.WATCH (DE), secondary +# forward-addr: 2001:1608:10:25::9249:d69b # DNS.WATCH (DE), secondary +# forward-addr: 8.8.8.8 # Google Public DNS (Anycast), primary +# forward-addr: 8.8.4.4 # Google Public DNS (Anycast), secondary diff --git a/roles/dns/tasks/main.yml b/roles/dns/tasks/main.yml new file mode 100644 index 0000000..59522a8 --- /dev/null +++ b/roles/dns/tasks/main.yml @@ -0,0 +1,35 @@ +--- +- name: install unbound and nsd + pkgng: + name: "{{ item }}" + state: present + with_items: + - unbound + - nsd + +# "root-hints" is the file which contains the listing of primary root +# DNS servers. Unbound does have a listing of root DNS servers in its +# code, but we want to make sure we have the most up to date copy. +# We normally update our copy once every 6 months. +# +# References: +# * Unbound DNS Server Tutorial +# https://calomel.org/unbound_dns.html +# +- name: unbound - fetch root.hints + command: > + fetch -o /usr/local/etc/unbound/root.hints + "https://www.internic.net/domain/named.cache" + +- name: unbound - copy configuration + copy: + src: unbound.conf + dest: /usr/local/etc/unbound/unbound.conf + +- name: unbound - enable and start service + command: rcenable unbound + +- name: setup resolv.conf + copy: + src: resolv.conf + dest: /etc/resolv.conf |