Skip to content
Permalink
Browse files

[debops.unbound] Allow non-recursive queries on AC

  • Loading branch information...
drybjed committed Oct 6, 2019
1 parent 5c65138 commit 30fd21848cf2a1639fddc25aa04e990d0c3584aa
Showing with 30 additions and 1 deletion.
  1. +5 −0 CHANGELOG.rst
  2. +21 −1 ansible/roles/debops.unbound/defaults/main.yml
  3. +4 −0 ansible/roles/debops.unbound/tasks/main.yml
@@ -115,6 +115,11 @@ LDAP

.. __: https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
- The role will configure the :command:`unbound` daemon to allow non-recursive
access to DNS queries when a host is managed by Ansible locally, with
assumption that it's an Ansible Controller host. This change unblocks use of
the :command:`dig +trace` and similar commands.

Changed
~~~~~~~

@@ -36,7 +36,27 @@ unbound__packages: []
# .. envvar:: unbound__default_server [[[
#
# The default Unbound 'server' configuration defined by the role.
unbound__default_server: []
unbound__default_server:

- name: 'localhost-allow_snoop'
option: 'access-control'
comment: |
By default unbound blocks non-recursive queries to prevent abuse; this
prevents commands like 'dig +trace' from working correctly. Since query
tracing is a useful debugging and diagnostic tool, non-recursive queries
will be allowed when the host is managed locally with assumption that
this is an administrator's machine.
value:

- name: '127.0.0.0/8'
args: 'allow_snoop'

- name: '::1/128'
args: 'allow_snoop'

state: '{{ "present"
if (unbound__fact_ansible_connection == "local")
else "ignore" }}'

# ]]]
# .. envvar:: unbound__server [[[
@@ -1,5 +1,9 @@
---

- name: Create a fact that knows the Ansible connection type
set_fact:
unbound__fact_ansible_connection: '{{ ansible_connection }}'

- name: Create Unbound configuration directory
file:
path: '/etc/unbound/unbound.conf.d'

0 comments on commit 30fd218

Please sign in to comment.
You can’t perform that action at this time.