[debops.unbound] Disable DNS-over-HTTPS support

debops · Sep 28, 2019 · 92929d4 · 92929d4
1 parent 1cdf48b
commit 92929d4
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 0 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -75,6 +75,15 @@ LDAP
   :ref:`debops.saslauthd` Ansible role. Both humans and machines can
   authenticate to the OpenLDAP directory using their respective LDAP objects.
 
+:ref:`debops.unbound` role
+''''''''''''''''''''''''''
+
+- The role will tell the client applications to `disable DNS-over-HTTPS
+  support`__ using the ``use-application-dns.net`` DNS record. This should
+  allow connections to internal sites and preserve the split-DNS functionality.
+
+  .. __: https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
+
 Changed
 ~~~~~~~
 

diff --git a/ansible/roles/debops.unbound/defaults/main.yml b/ansible/roles/debops.unbound/defaults/main.yml
@@ -132,6 +132,18 @@ unbound__combined_remote_control: '{{ unbound__default_remote_control
 # List of forward or stub DNS zones defined by the role.
 unbound__default_zones:
 
+  - name: 'block-dns-over-https'
+    comment: |
+      Blocking the 'use-application-dns.net' domain instructs the applications
+      that support DNS over HTTPS to not use it and rely on the system resolver
+      instead. This might be required for certain applications to support
+      access to internal services, resolve split-DNS correctly, etc.
+
+      Ref: https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
+    zone: 'use-application-dns.net.'
+    type: 'local'
+    local_zone_type: 'always_nxdomain'
+
   - name: 'lxc-net'
     comment: |
       Support for resolving LXC container hosts that use the 'lxc-net' bridge