Skip to content
Permalink
Browse files

[debops.unbound] Disable DNS-over-HTTPS support

  • Loading branch information...
drybjed committed Sep 28, 2019
1 parent 1cdf48b commit 92929d45f484d856daa6948c2c4e9ddf5d06f927
Showing with 21 additions and 0 deletions.
  1. +9 −0 CHANGELOG.rst
  2. +12 −0 ansible/roles/debops.unbound/defaults/main.yml
@@ -75,6 +75,15 @@ LDAP
:ref:`debops.saslauthd` Ansible role. Both humans and machines can
authenticate to the OpenLDAP directory using their respective LDAP objects.

:ref:`debops.unbound` role
''''''''''''''''''''''''''

- The role will tell the client applications to `disable DNS-over-HTTPS
support`__ using the ``use-application-dns.net`` DNS record. This should
allow connections to internal sites and preserve the split-DNS functionality.

.. __: https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
Changed
~~~~~~~

@@ -132,6 +132,18 @@ unbound__combined_remote_control: '{{ unbound__default_remote_control
# List of forward or stub DNS zones defined by the role.
unbound__default_zones:

- name: 'block-dns-over-https'
comment: |
Blocking the 'use-application-dns.net' domain instructs the applications
that support DNS over HTTPS to not use it and rely on the system resolver
instead. This might be required for certain applications to support
access to internal services, resolve split-DNS correctly, etc.
Ref: https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
zone: 'use-application-dns.net.'
type: 'local'
local_zone_type: 'always_nxdomain'

- name: 'lxc-net'
comment: |
Support for resolving LXC container hosts that use the 'lxc-net' bridge

0 comments on commit 92929d4

Please sign in to comment.
You can’t perform that action at this time.