3 files changed, 213 insertions, 0 deletions

diff --git a/roles/dns/files/resolv.conf b/roles/dns/files/resolv.conf
new file mode 100644
index 0000000..9c9a0be
--- /dev/null
+++ b/roles/dns/files/resolv.conf
@@ -0,0 +1,13 @@
+#
+# /etc/resolv.conf
+# DragonFly BSD
+#
+# Aaron LI
+#
+
+# Increase timeout to 30 seconds (default: 5 seconds)
+options timeout:30
+
+# Local DNS (recursive resolver) by "unbound"
+nameserver 127.0.0.1
+#nameserver ::1
diff --git a/roles/dns/files/unbound.conf b/roles/dns/files/unbound.conf
new file mode 100644
index 0000000..18e3ae6
--- /dev/null
+++ b/roles/dns/files/unbound.conf
@@ -0,0 +1,165 @@
+#
+# /usr/local/etc/unbound/unbound.conf
+# See unbound.conf(5)
+#
+# References
+# ----------
+# [1] Unbound setting up a secure local DNS server
+#     https://superuser.com/a/1123357/731908
+# [2] Unbound DNS Server Tutorial
+#     https://calomel.org/unbound_dns.html
+# [3] How to enable DNSSEC
+#     https://www.unbound.net/documentation/howto_anchor.html
+# [4] List of Public DNS Servers
+#     https://wiki.ipfire.org/dns/public-servers
+#
+#
+# Aaron LI
+#
+
+# NOTE:
+# Configure `unbound` to be a recursive DNS resolver with local cache,
+# instead of forwarding the queries to an upstream DNS resolver (e.g.,
+# DNS.WATCH, Google Public DNS), in order to work well with the DNSBL
+# services (e.g., spamhaus.org) used by Postfix.
+
+server:
+    # Specify the interfaces to answer queries from by ip-address.
+    # The default is to listen to localhost (127.0.0.1 and ::1).
+    # Specify 0.0.0.0 and ::0 to bind to all available interfaces.
+    # Specify every interface[@port] on a new 'interface:' labelled line.
+    # The listen interfaces are not changed on reload, only on restart.
+    interface: 127.0.0.1
+    interface: ::1
+
+    # Control which clients are allowed to make (recursive) queries
+    # to this server.  Specify classless netblocks with /size and action.
+    # By default everything is refused, except for localhost.
+    #
+    # Actions:
+    #   * deny (drop message)
+    #   * refuse (polite error reply)
+    #   * allow (recursive ok)
+    #   * allow_snoop (recursive and nonrecursive ok), e.g., "dig +trace"
+    #   * deny_non_local (drop queries unless can be answered from local-data)
+    #   * refuse_non_local (like deny_non_local but polite error reply)
+    #
+    # access-control: 0.0.0.0/0 refuse
+    # access-control: 127.0.0.0/8 allow
+    # access-control: ::0/0 refuse
+    # access-control: ::1 allow
+    # access-control: ::ffff:127.0.0.1 allow
+    #
+    access-control: 127.0.0.0/8 allow_snoop
+    access-control: ::1         allow_snoop
+
+    # Print statistics to the log (for every thread) every N seconds.
+    # Set to "" or 0 to disable.  Default is disabled.
+    statistics-interval: 7200
+
+    # Enable or disable whether IPv4 queries are answered or issued.
+    # Default: yes
+    do-ip4: yes
+
+    # Enable or disable whether IPv6 queries are answered or issued.
+    do-ip6: yes
+
+    # Whether prefer IPv6 transport for sending queries?
+    # Default: no
+    #prefer-ip6: no
+
+    # Enable or disable whether UDP queries are answered or issued.
+    # Default: yes
+    do-udp: yes
+
+    # Enable or disable whether TCP queries are answered or issued.
+    # Default: yes
+    do-tcp: yes
+
+    # Enable to not answer id.server and hostname.bind queries.
+    hide-identity: yes
+
+    # Enable to not answer version.server and version.bind queries.
+    hide-version: yes
+
+    # Enable to not answer trustanchor.unbound queries.
+    hide-trustanchor: yes
+
+    # Harden against out of zone RRsets, to avoid spoofing attempts.
+    harden-glue: yes
+
+    # Harden against receiving dnssec-stripped data.  If you turn it
+    # off, failing to validate dnskey data for a trustanchor will
+    # trigger insecure mode for that zone (like without a trustanchor).
+    # Default on, which insists on dnssec data for trust-anchored zones.
+    harden-dnssec-stripped: yes
+
+    # Sent minimum amount of information to upstream servers to enhance
+    # privacy.  Only sent minimum required labels of the QNAME and set
+    # QTYPE to NS when possible.
+    qname-minimisation: yes
+
+    # Use 0x20-encoded random bits in the query to foil spoof attempts.
+    # This feature is an experimental implementation of draft dns-0x20.
+    use-caps-for-id: yes
+
+    # File to read root hints from.  Default is using the builtin hints
+    # for the IN class, which may become outdated, so it is good practice
+    # to use a root-hints file.
+    # get one from https://www.internic.net/domain/named.cache
+    root-hints: "/usr/local/etc/unbound/root.hints"
+
+    # File with trusted keys used to perform DNSSEC validation, and Unbound
+    # must be able to read and write it, to keep it up to date with the
+    # latest key(s).
+    #
+    # NOTE: `unbound-anchor` tool provides an initial anchor from bultin
+    #       values, but for real trust you should check this thoroughly!
+    auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
+
+    # Verbosity level of the validator to log failed validations.
+    # Default: 0 (i.e., off).  1: A line per failed user query.
+    # 2: With reason and bad IP.
+    val-log-level: 1
+
+    # Verbosity level: 0 (least verbose) -> 5 (very verbose).
+    # Default: 1 (operational info).
+    verbosity: 1
+
+    # The log file, "" means log to stderr.
+    # NOTE: set the below "use-syslog" to "no" when to use this option.
+    logfile: "/usr/local/etc/unbound/unbound.log"
+
+    # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
+    # NOTE: will override the above "logfile" option if enabled.
+    #use-syslog: no
+    use-syslog: yes
+
+
+# WARNING:
+# It is a *bad* idea to use a public or shared DNS resolver (e.g., Google
+# Public DNS, ISP's DNS) to query DNS-based Blocklists (DNSBLs, e.g.,
+# spamhaus.org, spamcop.net; see also https://www.dnsbl.info/), because
+# most if not all DNSBL providers apply a *rate limit* (or white/black list)
+# based on the DNS resolver that is used to query their service!
+#
+# Credits:
+# * Mailcow - Why unbound?
+#   https://mailcow.github.io/mailcow-dockerized-docs/u_e-why_unbound/
+# * Spamhaus - FAQ
+#   https://www.spamhaus.org/faq/section/DNSBL%20Usage#261
+#
+#forward-zone:
+#    # Forward all requested queries not fulfilled by this server to the root
+#    # root domain (`.`).
+#    #
+#    # NOTE: Use DNSSEC-supported DNS servers from
+#    #       https://wiki.ipfire.org/dns/public-servers
+#    #
+#    name: "."
+#    forward-addr: 84.200.69.80                # DNS.WATCH (DE), primary
+#    forward-addr: 2001:1608:10:25::1c04:b12f  # DNS.WATCH (DE), primary
+#    forward-addr: 84.200.70.40                # DNS.WATCH (DE), secondary
+#    forward-addr: 2001:1608:10:25::9249:d69b  # DNS.WATCH (DE), secondary
+#    forward-addr: 8.8.8.8  # Google Public DNS (Anycast), primary
+#    forward-addr: 8.8.4.4  # Google Public DNS (Anycast), secondary
diff --git a/roles/dns/tasks/main.yml b/roles/dns/tasks/main.yml
new file mode 100644
index 0000000..59522a8
--- /dev/null
+++ b/roles/dns/tasks/main.yml
@@ -0,0 +1,35 @@
+---
+- name: install unbound and nsd
+  pkgng:
+    name: "{{ item }}"
+    state: present
+  with_items:
+    - unbound
+    - nsd
+
+# "root-hints" is the file which contains the listing of primary root
+# DNS servers.  Unbound does have a listing of root DNS servers in its
+# code, but we want to make sure we have the most up to date copy.
+# We normally update our copy once every 6 months.
+#
+# References:
+# * Unbound DNS Server Tutorial
+#   https://calomel.org/unbound_dns.html
+#
+- name: unbound - fetch root.hints
+  command: >
+    fetch -o /usr/local/etc/unbound/root.hints
+    "https://www.internic.net/domain/named.cache"
+
+- name: unbound - copy configuration
+  copy:
+    src: unbound.conf
+    dest: /usr/local/etc/unbound/unbound.conf
+
+- name: unbound - enable and start service
+  command: rcenable unbound
+
+- name: setup resolv.conf
+  copy:
+    src: resolv.conf
+    dest: /etc/resolv.conf