From 538791aa087ba582dcc0d3952b7f8521ad7ecfad Mon Sep 17 00:00:00 2001 From: Michael Johnson Date: Thu, 4 Feb 2021 23:23:44 +0000 Subject: [PATCH] Add DNS resolver forwarding support to Unbound This patch adds support for DNS resolver forwarding to the tripleo_unbound role. This allows the configuration of "upstream" dns resolvers that TripleO Unbound will query if it doesn't have a local answer to a query. If forwarders are not defined, Unbound will perform a standard recursive DNS resolution. Change-Id: I04d9b2d198f83882a8a4ca7ff4c196d06f8c9ee2 (cherry picked from commit 4f4cb587db3be54576316012064b7f1789b0cd5f) --- ...nd-forwarder-support-9bdc3ef54104ff30.yaml | 5 ++++ .../roles/tripleo_unbound/defaults/main.yml | 3 +++ .../roles/tripleo_unbound/tasks/main.yml | 14 ++++++++++- .../tripleo-forwarder-unbound.conf.j2 | 25 +++++++++++++++++++ 4 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/Add-Unbound-forwarder-support-9bdc3ef54104ff30.yaml create mode 100644 tripleo_ansible/roles/tripleo_unbound/templates/tripleo-forwarder-unbound.conf.j2 diff --git a/releasenotes/notes/Add-Unbound-forwarder-support-9bdc3ef54104ff30.yaml b/releasenotes/notes/Add-Unbound-forwarder-support-9bdc3ef54104ff30.yaml new file mode 100644 index 000000000..c32956c07 --- /dev/null +++ b/releasenotes/notes/Add-Unbound-forwarder-support-9bdc3ef54104ff30.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Adds support for Unbound to forward DNS resolution requests to other + DNS resolvers (DNS resolver forwarding). diff --git a/tripleo_ansible/roles/tripleo_unbound/defaults/main.yml b/tripleo_ansible/roles/tripleo_unbound/defaults/main.yml index cf38bd35b..d769eaaed 100644 --- a/tripleo_ansible/roles/tripleo_unbound/defaults/main.yml +++ b/tripleo_ansible/roles/tripleo_unbound/defaults/main.yml @@ -25,3 +25,6 @@ tripleo_unbound_config_basedir: "/var/lib/config-data/ansible-generated/unbound" tripleo_unbound_allowed_cidrs: [] tripleo_unbound_log_queries: false tripleo_unbound_security_harden: true +tripleo_unbound_forward_resolvers: [] +tripleo_unbound_allow_recursion: true +tripleo_unbound_forward_fallback: true diff --git a/tripleo_ansible/roles/tripleo_unbound/tasks/main.yml b/tripleo_ansible/roles/tripleo_unbound/tasks/main.yml index 22e971f2a..b5f83e8b5 100644 --- a/tripleo_ansible/roles/tripleo_unbound/tasks/main.yml +++ b/tripleo_ansible/roles/tripleo_unbound/tasks/main.yml @@ -58,9 +58,21 @@ setype: container_file_t register: _unbound_config_result +- name: Create the TripleO Unbound forwarders configuration file + become: true + ansible.builtin.template: + src: tripleo-forwarder-unbound.conf.j2 + dest: "{{ tripleo_unbound_config_basedir }}/tripleo-forwarder-unbound.conf" + mode: '0640' + selevel: s0 + setype: container_file_t + when: + - tripleo_unbound_forward_resolvers is defined and tripleo_unbound_forward_resolvers != "" + register: _unbound_fwd_config_result + - name: Restart Unbound when: - - _unbound_config_result.changed + - _unbound_config_result.changed or _unbound_fwd_config_result.changed block: - name: check if tripleo_unbound systemd service is active become: true diff --git a/tripleo_ansible/roles/tripleo_unbound/templates/tripleo-forwarder-unbound.conf.j2 b/tripleo_ansible/roles/tripleo_unbound/templates/tripleo-forwarder-unbound.conf.j2 new file mode 100644 index 000000000..efae8494c --- /dev/null +++ b/tripleo_ansible/roles/tripleo_unbound/templates/tripleo-forwarder-unbound.conf.j2 @@ -0,0 +1,25 @@ +# {{ ansible_managed }} +{# +This template is for the TripleO forwarder Unbound configuration file. + +No service specific settings should be made in this file. + +It will be placed in the /etc/unbound/conf.d directory and will override the +configuration settings provided in the base Unbound package from the +distribution. +#} +# +# These settings are made by TripleO, do not modify directly. +# The settings in this file will override the package provided settings. +# + +forward-zone: + name: "." +{% for forwarder in tripleo_unbound_forward_resolvers %} + forward-addr: {{ forwarder }} +{% endfor %} +{% if tripleo_unbound_forward_fallback and tripleo_unbound_allow_recursion %} + forward-first: yes +{% else %} + forward-first: no +{% endif %}