aboutsummaryrefslogtreecommitdiffstats
path: root/roles/dns
diff options
context:
space:
mode:
Diffstat (limited to 'roles/dns')
-rw-r--r--roles/dns/files/resolv.conf13
-rw-r--r--roles/dns/files/unbound.conf165
-rw-r--r--roles/dns/tasks/main.yml35
3 files changed, 213 insertions, 0 deletions
diff --git a/roles/dns/files/resolv.conf b/roles/dns/files/resolv.conf
new file mode 100644
index 0000000..9c9a0be
--- /dev/null
+++ b/roles/dns/files/resolv.conf
@@ -0,0 +1,13 @@
+#
+# /etc/resolv.conf
+# DragonFly BSD
+#
+# Aaron LI
+#
+
+# Increase timeout to 30 seconds (default: 5 seconds)
+options timeout:30
+
+# Local DNS (recursive resolver) by "unbound"
+nameserver 127.0.0.1
+#nameserver ::1
diff --git a/roles/dns/files/unbound.conf b/roles/dns/files/unbound.conf
new file mode 100644
index 0000000..18e3ae6
--- /dev/null
+++ b/roles/dns/files/unbound.conf
@@ -0,0 +1,165 @@
+#
+# /usr/local/etc/unbound/unbound.conf
+# See unbound.conf(5)
+#
+# References
+# ----------
+# [1] Unbound setting up a secure local DNS server
+# https://superuser.com/a/1123357/731908
+# [2] Unbound DNS Server Tutorial
+# https://calomel.org/unbound_dns.html
+# [3] How to enable DNSSEC
+# https://www.unbound.net/documentation/howto_anchor.html
+# [4] List of Public DNS Servers
+# https://wiki.ipfire.org/dns/public-servers
+#
+#
+# Aaron LI
+#
+
+# NOTE:
+# Configure `unbound` to be a recursive DNS resolver with local cache,
+# instead of forwarding the queries to an upstream DNS resolver (e.g.,
+# DNS.WATCH, Google Public DNS), in order to work well with the DNSBL
+# services (e.g., spamhaus.org) used by Postfix.
+
+server:
+ # Specify the interfaces to answer queries from by ip-address.
+ # The default is to listen to localhost (127.0.0.1 and ::1).
+ # Specify 0.0.0.0 and ::0 to bind to all available interfaces.
+ # Specify every interface[@port] on a new 'interface:' labelled line.
+ # The listen interfaces are not changed on reload, only on restart.
+ interface: 127.0.0.1
+ interface: ::1
+
+ # Control which clients are allowed to make (recursive) queries
+ # to this server. Specify classless netblocks with /size and action.
+ # By default everything is refused, except for localhost.
+ #
+ # Actions:
+ # * deny (drop message)
+ # * refuse (polite error reply)
+ # * allow (recursive ok)
+ # * allow_snoop (recursive and nonrecursive ok), e.g., "dig +trace"
+ # * deny_non_local (drop queries unless can be answered from local-data)
+ # * refuse_non_local (like deny_non_local but polite error reply)
+ #
+ # access-control: 0.0.0.0/0 refuse
+ # access-control: 127.0.0.0/8 allow
+ # access-control: ::0/0 refuse
+ # access-control: ::1 allow
+ # access-control: ::ffff:127.0.0.1 allow
+ #
+ access-control: 127.0.0.0/8 allow_snoop
+ access-control: ::1 allow_snoop
+
+ # Print statistics to the log (for every thread) every N seconds.
+ # Set to "" or 0 to disable. Default is disabled.
+ statistics-interval: 7200
+
+ # Enable or disable whether IPv4 queries are answered or issued.
+ # Default: yes
+ do-ip4: yes
+
+ # Enable or disable whether IPv6 queries are answered or issued.
+ do-ip6: yes
+
+ # Whether prefer IPv6 transport for sending queries?
+ # Default: no
+ #prefer-ip6: no
+
+ # Enable or disable whether UDP queries are answered or issued.
+ # Default: yes
+ do-udp: yes
+
+ # Enable or disable whether TCP queries are answered or issued.
+ # Default: yes
+ do-tcp: yes
+
+ # Enable to not answer id.server and hostname.bind queries.
+ hide-identity: yes
+
+ # Enable to not answer version.server and version.bind queries.
+ hide-version: yes
+
+ # Enable to not answer trustanchor.unbound queries.
+ hide-trustanchor: yes
+
+ # Harden against out of zone RRsets, to avoid spoofing attempts.
+ harden-glue: yes
+
+ # Harden against receiving dnssec-stripped data. If you turn it
+ # off, failing to validate dnskey data for a trustanchor will
+ # trigger insecure mode for that zone (like without a trustanchor).
+ # Default on, which insists on dnssec data for trust-anchored zones.
+ harden-dnssec-stripped: yes
+
+ # Sent minimum amount of information to upstream servers to enhance
+ # privacy. Only sent minimum required labels of the QNAME and set
+ # QTYPE to NS when possible.
+ qname-minimisation: yes
+
+ # Use 0x20-encoded random bits in the query to foil spoof attempts.
+ # This feature is an experimental implementation of draft dns-0x20.
+ use-caps-for-id: yes
+
+ # File to read root hints from. Default is using the builtin hints
+ # for the IN class, which may become outdated, so it is good practice
+ # to use a root-hints file.
+ # get one from https://www.internic.net/domain/named.cache
+ root-hints: "/usr/local/etc/unbound/root.hints"
+
+ # File with trusted keys used to perform DNSSEC validation, and Unbound
+ # must be able to read and write it, to keep it up to date with the
+ # latest key(s).
+ #
+ # NOTE: `unbound-anchor` tool provides an initial anchor from bultin
+ # values, but for real trust you should check this thoroughly!
+ auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
+
+ # Verbosity level of the validator to log failed validations.
+ # Default: 0 (i.e., off). 1: A line per failed user query.
+ # 2: With reason and bad IP.
+ val-log-level: 1
+
+ # Verbosity level: 0 (least verbose) -> 5 (very verbose).
+ # Default: 1 (operational info).
+ verbosity: 1
+
+ # The log file, "" means log to stderr.
+ # NOTE: set the below "use-syslog" to "no" when to use this option.
+ logfile: "/usr/local/etc/unbound/unbound.log"
+
+ # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
+ # NOTE: will override the above "logfile" option if enabled.
+ #use-syslog: no
+ use-syslog: yes
+
+
+# WARNING:
+# It is a *bad* idea to use a public or shared DNS resolver (e.g., Google
+# Public DNS, ISP's DNS) to query DNS-based Blocklists (DNSBLs, e.g.,
+# spamhaus.org, spamcop.net; see also https://www.dnsbl.info/), because
+# most if not all DNSBL providers apply a *rate limit* (or white/black list)
+# based on the DNS resolver that is used to query their service!
+#
+# Credits:
+# * Mailcow - Why unbound?
+# https://mailcow.github.io/mailcow-dockerized-docs/u_e-why_unbound/
+# * Spamhaus - FAQ
+# https://www.spamhaus.org/faq/section/DNSBL%20Usage#261
+#
+#forward-zone:
+# # Forward all requested queries not fulfilled by this server to the root
+# # root domain (`.`).
+# #
+# # NOTE: Use DNSSEC-supported DNS servers from
+# # https://wiki.ipfire.org/dns/public-servers
+# #
+# name: "."
+# forward-addr: 84.200.69.80 # DNS.WATCH (DE), primary
+# forward-addr: 2001:1608:10:25::1c04:b12f # DNS.WATCH (DE), primary
+# forward-addr: 84.200.70.40 # DNS.WATCH (DE), secondary
+# forward-addr: 2001:1608:10:25::9249:d69b # DNS.WATCH (DE), secondary
+# forward-addr: 8.8.8.8 # Google Public DNS (Anycast), primary
+# forward-addr: 8.8.4.4 # Google Public DNS (Anycast), secondary
diff --git a/roles/dns/tasks/main.yml b/roles/dns/tasks/main.yml
new file mode 100644
index 0000000..59522a8
--- /dev/null
+++ b/roles/dns/tasks/main.yml
@@ -0,0 +1,35 @@
+---
+- name: install unbound and nsd
+ pkgng:
+ name: "{{ item }}"
+ state: present
+ with_items:
+ - unbound
+ - nsd
+
+# "root-hints" is the file which contains the listing of primary root
+# DNS servers. Unbound does have a listing of root DNS servers in its
+# code, but we want to make sure we have the most up to date copy.
+# We normally update our copy once every 6 months.
+#
+# References:
+# * Unbound DNS Server Tutorial
+# https://calomel.org/unbound_dns.html
+#
+- name: unbound - fetch root.hints
+ command: >
+ fetch -o /usr/local/etc/unbound/root.hints
+ "https://www.internic.net/domain/named.cache"
+
+- name: unbound - copy configuration
+ copy:
+ src: unbound.conf
+ dest: /usr/local/etc/unbound/unbound.conf
+
+- name: unbound - enable and start service
+ command: rcenable unbound
+
+- name: setup resolv.conf
+ copy:
+ src: resolv.conf
+ dest: /etc/resolv.conf