From 6d65b784a81124f4decc7cd79e19b71049cac377 Mon Sep 17 00:00:00 2001 From: Michael Johnson Date: Thu, 4 Feb 2021 23:47:05 +0000 Subject: [PATCH] Add DNS resolver forwarding support to Unbound This patch adds support for DNS resolver forwarding to the Unbound. This allows the configuration of "upstream" DNS resolvers that TripleO Unbound will query if it doesn't have a local answer to a query. If forwarders are not defined, Unbound will perform a standard recursive DNS resolution. Change-Id: Id4fbde599acd4637a7422428190385d83fa44e23 --- .../unbound/unbound-container-ansible.yaml | 22 +++++++++++++++++++ ...nd-forwarder-support-8f29e47d4275a798.yaml | 5 +++++ 2 files changed, 27 insertions(+) create mode 100644 releasenotes/notes/Add-Unbound-forwarder-support-8f29e47d4275a798.yaml diff --git a/deployment/unbound/unbound-container-ansible.yaml b/deployment/unbound/unbound-container-ansible.yaml index dedf5288c4..309b77de4b 100644 --- a/deployment/unbound/unbound-container-ansible.yaml +++ b/deployment/unbound/unbound-container-ansible.yaml @@ -70,6 +70,25 @@ parameters: the deployment will create additonal IPs using the external network. type: comma_delimited_list + UnboundForwardResolvers: + default: [] + description: A list of DNS resolver IP addresses, with optional port, + that Unbound will forward resolution requests to if Unbound + does not have the answer. + Example, ['192.0.2.10', '192.0.2.20@53'] + type: comma_delimited_list + UnboundForwardFallback: + default: true + description: When true, if the forwarded query receives a SERVFAIL, + Unbound will process the request as a standard recursive + resolution. + type: boolean + UnboundAllowRecursion: + default: true + description: When false, Unbound will not attempt to recursively resolve + the request. It will only answer for queries using local + information. + type: boolean conditions: @@ -237,3 +256,6 @@ outputs: tripleo_unbound_security_harden: {get_param: UnboundSecurityHarden} tripleo_unbound_designate_integration: {get_param: UnboundDesignateIntegration} tripleo_unbound_bind_network: {if: ["public_net_is_ctlplane", "ctlplane", {get_param: [ServiceNetMap, UnboundNetwork]}]} + tripleo_unbound_forward_resolvers: {get_param: UnboundForwardResolvers} + tripleo_unbound_forward_fallback: {get_param: UnboundForwardFallback} + tripleo_unbound_allow_recursion: {get_param: UnboundAllowRecursion} diff --git a/releasenotes/notes/Add-Unbound-forwarder-support-8f29e47d4275a798.yaml b/releasenotes/notes/Add-Unbound-forwarder-support-8f29e47d4275a798.yaml new file mode 100644 index 0000000000..3443f2b2a4 --- /dev/null +++ b/releasenotes/notes/Add-Unbound-forwarder-support-8f29e47d4275a798.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Added support for Unbound to forward DNS resolution requests to other + DNS resolvers (DNS resolver forwarding).