Add DNS resolver forwarding support to Unbound
This patch adds support for DNS resolver forwarding to the tripleo_unbound
role. This allows the configuration of "upstream" dns resolvers that
TripleO Unbound will query if it doesn't have a local answer to a query.
If forwarders are not defined, Unbound will perform a standard recursive
DNS resolution.
Change-Id: I04d9b2d198f83882a8a4ca7ff4c196d06f8c9ee2
(cherry picked from commit 4f4cb587db
)
This commit is contained in:
parent
772b827a69
commit
538791aa08
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
Adds support for Unbound to forward DNS resolution requests to other
|
||||||
|
DNS resolvers (DNS resolver forwarding).
|
|
@ -25,3 +25,6 @@ tripleo_unbound_config_basedir: "/var/lib/config-data/ansible-generated/unbound"
|
||||||
tripleo_unbound_allowed_cidrs: []
|
tripleo_unbound_allowed_cidrs: []
|
||||||
tripleo_unbound_log_queries: false
|
tripleo_unbound_log_queries: false
|
||||||
tripleo_unbound_security_harden: true
|
tripleo_unbound_security_harden: true
|
||||||
|
tripleo_unbound_forward_resolvers: []
|
||||||
|
tripleo_unbound_allow_recursion: true
|
||||||
|
tripleo_unbound_forward_fallback: true
|
||||||
|
|
|
@ -58,9 +58,21 @@
|
||||||
setype: container_file_t
|
setype: container_file_t
|
||||||
register: _unbound_config_result
|
register: _unbound_config_result
|
||||||
|
|
||||||
|
- name: Create the TripleO Unbound forwarders configuration file
|
||||||
|
become: true
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: tripleo-forwarder-unbound.conf.j2
|
||||||
|
dest: "{{ tripleo_unbound_config_basedir }}/tripleo-forwarder-unbound.conf"
|
||||||
|
mode: '0640'
|
||||||
|
selevel: s0
|
||||||
|
setype: container_file_t
|
||||||
|
when:
|
||||||
|
- tripleo_unbound_forward_resolvers is defined and tripleo_unbound_forward_resolvers != ""
|
||||||
|
register: _unbound_fwd_config_result
|
||||||
|
|
||||||
- name: Restart Unbound
|
- name: Restart Unbound
|
||||||
when:
|
when:
|
||||||
- _unbound_config_result.changed
|
- _unbound_config_result.changed or _unbound_fwd_config_result.changed
|
||||||
block:
|
block:
|
||||||
- name: check if tripleo_unbound systemd service is active
|
- name: check if tripleo_unbound systemd service is active
|
||||||
become: true
|
become: true
|
||||||
|
|
|
@ -0,0 +1,25 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
{#
|
||||||
|
This template is for the TripleO forwarder Unbound configuration file.
|
||||||
|
|
||||||
|
No service specific settings should be made in this file.
|
||||||
|
|
||||||
|
It will be placed in the /etc/unbound/conf.d directory and will override the
|
||||||
|
configuration settings provided in the base Unbound package from the
|
||||||
|
distribution.
|
||||||
|
#}
|
||||||
|
#
|
||||||
|
# These settings are made by TripleO, do not modify directly.
|
||||||
|
# The settings in this file will override the package provided settings.
|
||||||
|
#
|
||||||
|
|
||||||
|
forward-zone:
|
||||||
|
name: "."
|
||||||
|
{% for forwarder in tripleo_unbound_forward_resolvers %}
|
||||||
|
forward-addr: {{ forwarder }}
|
||||||
|
{% endfor %}
|
||||||
|
{% if tripleo_unbound_forward_fallback and tripleo_unbound_allow_recursion %}
|
||||||
|
forward-first: yes
|
||||||
|
{% else %}
|
||||||
|
forward-first: no
|
||||||
|
{% endif %}
|
Loading…
Reference in New Issue