server:
verbosity: 1
- # specify the interfaces to answer queries from by ip-address.
- # The default is to listen to localhost (127.0.0.1 and ::1).
- # specify 0.0.0.0 and ::0 to bind to all available interfaces.
- # specify every interface[@port] on a new 'interface:' labelled line.
- # The listen interfaces are not changed on reload, only on restart.
- # interface: 192.0.2.153
- # interface: 192.0.2.154
- # interface: 192.0.2.154@5003
- # interface: 2001:DB8::5
-
- # enable this feature to copy the source address of queries to reply.
- # Socket options are not supported on all platforms. experimental.
+<% if (@is_recursor and (not @client_ranges.empty?)) -%>
+ interface: 0.0.0.0
+ interface: ::0
+
interface-automatic: yes
- # control which clients are allowed to make (recursive) queries
- # to this server. Specify classless netblocks with /size and action.
- # By default everything is refused, except for localhost.
- # Choose deny (drop message), refuse (polite error reply),
- # allow (recursive ok), allow_snoop (recursive and nonrecursive ok)
- # access-control: 0.0.0.0/0 refuse
- # access-control: 127.0.0.0/8 allow
- # access-control: ::0/0 refuse
- # access-control: ::1 allow
- # access-control: ::ffff:127.0.0.1 allow
+ access-control: 0.0.0.0/0 refuse
+ access-control: ::0/0 refuse
+ access-control: 127.0.0.0/8 allow
+ access-control: ::0/0 refuse
+ access-control: ::1 allow
+ access-control: ::ffff:127.0.0.1 allow
+<% @client_ranges.to_a.flatten.each do |net| -%>
+ access-control: <%= net -%> allow
+<% end -%>
+<% end -%>
#chroot: ""
hide-identity: yes
hide-version: yes
- use-caps-for-id: yes
-
# Do not query the following addresses. No DNS queries are sent there.
# List one address per entry. List classless netblocks with /size,
# do-not-query-address: 127.0.0.1/8
# auto-trust-anchor-file: ""
auto-trust-anchor-file: "/var/lib/unbound/root.key"
auto-trust-anchor-file: "/var/lib/unbound/debian.org.key"
+<% if not @firewall_blocks_dns %>
+ auto-trust-anchor-file: "/var/lib/unbound/29.172.in-addr.arpa.key"
+<% end -%>
+
+ prefetch: yes
+ prefetch-key: yes
+
+
+<% if not @firewall_blocks_dns %>
+local-zone: "29.172.in-addr.arpa" nodefault
+forward-zone:
+ name: "29.172.in-addr.arpa"
+ forward-host: geo1.debian.org
+ forward-host: geo2.debian.org
+ forward-host: geo3.debian.org
+<% end -%>
-#forward-zone:
-# name: "."
-# forward-addr: 192.0.2.1
-# forward-addr: 192.0.2.199
+# recursive: <%= @is_recursor ? "y" : "n" %>
+<% if not @is_recursor -%>
+forward-zone:
+ name: "."
+<% @ns.to_a.flatten.each do |nms| -%>
+ forward-addr: <%= nms %>
+<% end -%>
+ forward-first: yes
+<% end -%>