Default variable details
some of debops.unbound
default variables have more extensive configuration
than simple strings or lists, here you can find documentation and examples for
them.
unbound__server
Configuration of the unbound__*_server
variables is described in a separate
document, Default variable details: unbound__server.
unbound__zones
The unbound__*_zones
lists are used to configure forward or stub DNS zones
published by Unbound service. Each DNS zone delegation is configured in its own
/etc/unbound/unbound.conf.d/zone_<name>.conf
configuration file.
Each list entry is a YAML dictionary with specific parameters:
name
Required. Name of the DNS zone, used in the filename. This parameter is used as an identifier during the variable parsing.
zone
Optional. If specified, this string will be used as the DNS zone name. With this parameter specified,
name
can be used as a general identifier of a particular delegation.type
Optional. The zone type to use, either
forward
(default if not specified),local
orstub
. See the unbound.conf(5) for details about stub and forward zones.local_zone_type
Optional. If the
type
parameter is set tolocal
, this parameter can be used to define the type of the local zone (static
(default),transparent
, etc. See unbound.conf(5) manual page,local-zone:
keyword for the details about local zone types.local_zone_data
Optional. If the
type
parameter is set tolocal
, this parameter can be used to define the data of a given local zone. This is a YAML list of entries, each entry can specify a DNS Resource Record as a string. See the examples section for an example local zone configuration.nameserver
,nameservers
Optional. IP address or list of IP addresses of the DNS nameservers of a particular zone. You can specify the port using the @ character, for example
192.0.2.1@5353
.revdns
Optional. Specify a CIDR subnet or multiple subnets for a given DNS zone. If specified, a revDNS zones will be included in the generated zone file; each revDNS zone will use the same nameserver IP addresses and other options specified for the main DNS zone. Currently only IPv4 C-class subnets (
/16
to/24
) are supported best.If specified subnet is in a RFC 1918 private network range, the main DNS zone and revDNS zones will be set as local, insecure zones to avoid issues with DNSSEC. This can be overridden by setting the
private_domain
,domain_insecure
and/orlocal_zone
parameters toFalse
.state
Optional. If not specified or
present
, the zone file will be generated.If
absent
, the configuration file will be removed.If
ignore
, the given entry will not be evaluated by the role, and no changes will be done to the preceding parameters with the same name. This can be used to conditionally activate entries with different configuration.If
append
, the given entry will be evaluated only if an entry with the same name already exists. The current state will not be changed.comment
Optional. String or a YAML dictionary with additional comments for a given DNS zone.
options
Optional. List of configuration options for a particular zone. The format is the same as Default variable details: unbound__server configuration options. For a list of supported options, see the stub zone and forward zone sections of the unbound.conf(5) manual page.
server_options
Optional. List of
server:
configuration options associated with a particular zone. The format is the same as Default variable details: unbound__server configuration options.
Examples
Forward all queries to external Google DNS servers:
---
unbound__zones:
# https://en.wikipedia.org/wiki/Google_Public_DNS
- name: 'forward-all-to-google'
comment: 'Forward all DNS queries to Google Public DNS'
zone: '.'
nameservers: [ '8.8.8.8', '8.8.4.4',
'2001:4860:4860::8888',
'2001:4860:4860::8844' ]
Create custom forward zone for internal network:
unbound__zones:
- name: 'internal-net'
zone: 'nat.example.org'
revdns: '192.0.2.0/24'
nameserver: '192.0.2.1'
options:
- 'forward-first': True
Define a local DNS entry example.test.
with a few resource records:
unbound__zones:
- name: 'example.test'
zone: 'example.test.'
type: 'local'
local_zone_type: 'static'
local_zone_data:
- 'NS localhost.'
- 'SOA localhost. nobody.invalid. 1 3600 1200 604800 10800'
- 'PTR localhost.'
- 'A 192.0.2.1'
- 'AAAA 2001:db8::1'
Configure Unbound to support a stub DNS zone using an external DNS server, for example a home router with dnsmasq nameserver. Ensure that both normal and reverse lookups work as expected. The local zone is not signed with DNSSEC so we need to mark it as insecure.
unbound__zones:
- name: 'example.net'
zone: 'example.net.'
type: 'stub'
options:
- 'stub-addr': '192.0.2.1'
server_options:
- 'domain-insecure': '"example.net"'
- 'local-zone': '"example.net." nodefault'
- name: '2.0.192.in-addr.arpa'
zone: '2.0.192.in-addr.arpa.'
type: 'stub'
options:
- 'stub-addr': '192.0.2.1'
server_options:
- 'domain-insecure': '"2.0.192.in-addr.arpa."'
- 'local-zone': '"2.0.192.in-addr.arpa." nodefault'