diff options
| author | Lexi Winter <lexi@le-fay.org> | 2025-06-09 11:11:04 +0100 |
|---|---|---|
| committer | Lexi Winter <lexi@le-fay.org> | 2025-06-09 11:11:04 +0100 |
| commit | 4a6119c1a9ea22825c0952b730118268cf33f0ad (patch) | |
| tree | 2a77df4d0cc774744140d8b4748b9a96934365bd | |
| parent | 64a120d9eb6ea7d5a2d3254401581cafadfde917 (diff) | |
| download | dns-4a6119c1a9ea22825c0952b730118268cf33f0ad.tar.gz dns-4a6119c1a9ea22825c0952b730118268cf33f0ad.tar.bz2 | |
support forwarders in unbound.conf
| -rw-r--r-- | Makefile | 10 | ||||
| -rw-r--r-- | unbound.conf.erb | 38 |
2 files changed, 45 insertions, 3 deletions
@@ -90,9 +90,16 @@ LFNETWORKS= \ 10.0.0.0/8 \ 198.18.0.0/15 +# All servers which run Unbound. UNBOUND_SERVERS= \ witch.le-fay.org \ - turnera.le-fay.org + turnera.le-fay.org \ + hemlock.eden.le-fay.org + +# Forwarder addresses for Unbound forwarders. +UNBOUND_FORWARDERS= \ + 2001:8b0:aab5:c401::1:3 \ + 2001:8b0:aab5:c401::1:4 UNBOUND_PROCESS_FLAGS= \ -Dconfdir=/usr/local/etc/unbound \ @@ -102,6 +109,7 @@ UNBOUND_PROCESS_FLAGS= \ -Dlocal_zones="${ZONES}" \ -Ddn42_zones="${DN42_ZONES}" \ -Ddn42_master="${DN42_MASTER}" +UNBOUND_PROCESS_FLAGS.hemlock.eden.le-fay.org= -Dforwarder=yes UNBOUND_PROCESS_FLAGS.witch.le-fay.org= -Dtls=yes UNBOUND_PROCESS_FLAGS.turnera.le-fay.org= -Dtls=yes diff --git a/unbound.conf.erb b/unbound.conf.erb index 5136093..b2f1f6e 100644 --- a/unbound.conf.erb +++ b/unbound.conf.erb @@ -14,9 +14,31 @@ server: auto-trust-anchor-file: "<%= confdir %>/secondary/root.key" - # The local config file configures listen addresses. +<% if defined?(forwarder) %> + # Forwarders only listen on localhost. + interface: ::1 + # Only localhost has access. + access-control: ::1 allow + + # Be more forgiving of broken servers, so that everything doesn't stop + # working if the network is down for a bit. + infra-keep-probing: yes + infra-host-ttl: 60 + log-servfail: yes +<% else %> + # For resolvers, the local config file configures listen addresses. include: "<%= confdir %>/unbound.conf.local" + # Allow access from LF networks. +<% lfnetworks.split.each do |network| %> + access-control: <%= network %> allow +<% end %> + + # We might want to enable this in the future. + #use-caps-for-id: yes + #caps-exempt: example.org +<% end %> + tls-upstream: no pad-responses: yes <%# quic-port: 853 %> @@ -63,9 +85,9 @@ server: nat64-prefix: <%= nat64_prefix %> <% end %> +# Private addresses that should not be found in Internet zones. <% lfnetworks.split.each do |network| %> private-address: <%= network %> - access-control: <%= network %> allow <% end %> private-domain: sikol.co.uk @@ -95,6 +117,16 @@ remote-control: control-key-file: "<%= confdir %>/unbound_control.key" control-cert-file: "<%= confdir %>/unbound_control.pem" +<% if defined?(forwarder) %> +# This server is a forwarder. +forward-zone: + name: "." + forward-addr: 2001:8b0:aab5:c401::1:3 + forward-addr: 2001:8b0:aab5:c401::1:4 + forward-first: yes +<% else %> +# This server is a resolver, so it wants a local copy of all zones. + # SiKol zones auth-zone: name: "lethe.sikol.co.uk" @@ -129,3 +161,5 @@ stub-zone: name: <%= zone %>. stub-addr: <%= dn42_master %> <% end %> + +<% end %> |