92 lines
2.5 KiB
Django/Jinja
92 lines
2.5 KiB
Django/Jinja
# {{ ansible_managed }}
|
|
{#
|
|
This template is for the TripleO base Unbound configuration file.
|
|
|
|
No service specific settings should be made in this file.
|
|
|
|
It will be placed in the /etc/unbound/conf.d directory and will override the
|
|
configuration settings provided in the base Unbound package from the
|
|
distribution.
|
|
#}
|
|
#
|
|
# These settings are made by TripleO, do not modify directly.
|
|
# The settings in this file will override the package provided settings.
|
|
#
|
|
|
|
{% import 'unbound_build_vars.j2' as unbound_vars with context %}
|
|
|
|
server:
|
|
|
|
{# The interface unbound should listen on. x.x.x.x x::x #}
|
|
{% for interface in unbound_vars.tripleo_unbound_listen_ips %}
|
|
interface: {{ interface }}
|
|
{% endfor %}
|
|
{# We are in a container, stay in the foreground #}
|
|
do-daemonize: no
|
|
|
|
{#
|
|
Define CIDRs that are allowed to use this resolver.
|
|
Note: This is a security feature. Do not open the resolver to the world or
|
|
it can be used for DDoS amplification attacks.
|
|
#}
|
|
# Allow cloud internal subnet CIDRs.
|
|
{% for cidr in unbound_vars.tripleo_unbound_allowed_internal_cidrs %}
|
|
access-control: {{ cidr }} allow
|
|
{% endfor %}
|
|
|
|
# Allow cloud external subnet CIDRs.
|
|
{% for cidr in unbound_vars.tripleo_unbound_allowed_external_cidrs %}
|
|
access-control: {{ cidr }} allow
|
|
{% endfor %}
|
|
|
|
# Allow deployment configured CIDRs.
|
|
{% for cidr in tripleo_unbound_allowed_cidrs %}
|
|
access-control: {{ cidr }} allow
|
|
{% endfor %}
|
|
|
|
{# Set the container log file name and location. #}
|
|
logfile: /var/log/unbound/unbound.log
|
|
|
|
{#
|
|
Only log queries if the user has enabled it.
|
|
This can generate very large log files.
|
|
#}
|
|
{% if tripleo_unbound_log_queries %}
|
|
log-queries: yes
|
|
{% else %}
|
|
log-queries: no
|
|
{% endif %}
|
|
|
|
{# Set various security hardening settings. This defaults to on. #}
|
|
{% if tripleo_unbound_security_harden %}
|
|
hide-identity: yes
|
|
hide-version: yes
|
|
hide-trustanchor: yes
|
|
harden-short-bufsize: yes
|
|
harden-large-queries: yes
|
|
{% endif %}
|
|
|
|
{# Allow PTR lookups for private IP address spaces. #}
|
|
unblock-lan-zones: yes
|
|
|
|
{# Do not try to DNSSEC validate private IP address spaces. #}
|
|
insecure-lan-zones: yes
|
|
{# Setup the TLS endpoint for TCP queries. #}
|
|
{# Not implemented yet
|
|
tls-service-key: <tls key file>
|
|
tls-service-pem: <tls pem file>
|
|
tls-port: 853
|
|
#}
|
|
{#
|
|
Optimize the cache for cloud usage.
|
|
https://www.nlnetlabs.nl/documentation/unbound/howto-optimise/
|
|
#}
|
|
rrset-cache-size: 100m
|
|
msg-cache-size: 50m
|
|
|
|
{#
|
|
The remote control interface is not needed until we startcollecting metrics.
|
|
#}
|
|
remote-control:
|
|
control-enable: no
|