Unbound: forward queries to NextDNS over DoT

angristan · angristan · commit 13358965f2d7 · 2020-04-04T22:11:24.000+02:00
Also: setup Unbound on Debian containers
diff --git a/files/etc/unbound/unbound.conf b/files/etc/unbound/unbound.conf
diff --git a/tasks/common.yml b/tasks/common.yml
@@ -112,3 +112,22 @@
   copy:
     content: ""
     dest: "/etc/motd"
+
+- name: Install unbound
+  when: ansible_distribution == "Debian"
+  apt:
+    name: unbound
+
+- name: Add Unbound config
+  when: ansible_distribution == "Debian"
+  template:
+    src: "etc/unbound/unbound.conf.j2"
+    dest: "/etc/unbound/unbound.conf"
+  notify: unbound restart
+
+- name: Set DNS resolver to Unbound in DHCP config
+  when: ansible_distribution == "Debian"
+  lineinfile:
+    dest: /etc/dhcp/dhclient.conf
+    regexp: "^prepend domain-name-servers"
+    line: "prepend domain-name-servers 127.0.0.1;"
diff --git a/tasks/host.yml b/tasks/host.yml
@@ -33,25 +33,6 @@
       - fail2ban
       - haveged
 
-- name: Install unbound
-  when: ansible_distribution == "Debian"
-  apt:
-    name: unbound
-
-- name: Add Unbound config
-  when: ansible_distribution == "Debian"
-  copy:
-    src: "etc/unbound/unbound.conf"
-    dest: "/etc/unbound/"
-  notify: unbound restart
-
-- name: Set DNS resolver to Unbound in DHCP config
-  when: ansible_distribution == "Debian"
-  lineinfile:
-    dest: /etc/dhcp/dhclient.conf
-    regexp: "^prepend domain-name-servers"
-    line: "prepend domain-name-servers 127.0.0.1;"
-
 - name: Set swappiness to 5
   sysctl:
     name: vm.swappiness
diff --git a/templates/etc/unbound/unbound.conf.j2 b/templates/etc/unbound/unbound.conf.j2
@@ -0,0 +1,18 @@
+include: "/etc/unbound/unbound.conf.d/*.conf"
+
+hide-identity: yes
+hide-version: yes
+use-caps-for-id: yes
+prefetch: yes
+
+{% if ansible_distribution_release == 'buster' %}
+tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+
+forward-zone:
+  name: "."
+  forward-tls-upstream: yes
+  forward-addr: 2a07:a8c0::#{{ inventory_hostname }}-{{ nextdns_config_name }}.dns1.nextdns.io
+  forward-addr: 2a07:a8c1::#{{ inventory_hostname }}-{{ nextdns_config_name }}.dns2.nextdns.io
+  forward-addr: 45.90.28.0#{{ inventory_hostname }}-{{ nextdns_config_name }}.dns1.nextdns.io
+  forward-addr: 45.90.30.0#{{ inventory_hostname }}-{{ nextdns_config_name }}.dns2.nextdns.io
+{% endif %}
