From 8bdf278ea645db6c661b87bfa1e7139ec6f69897 Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Wed, 29 Sep 2021 19:09:58 +0000
Subject: [PATCH] Enable DNS over TLS support for local resolvers

Currently uses local CA.
---
 playbooks/dna-gw.yml                           | 18 ++++++++++++++++++
 roles/pf/files/pf.conf.gw_home                 |  1 +
 .../unbound.conf.dna-gw01.home.foo.sh.j2       |  8 ++++++--
 .../unbound.conf.dna-gw02.home.foo.sh.j2       |  8 ++++++--
 4 files changed, 31 insertions(+), 4 deletions(-)

diff --git a/playbooks/dna-gw.yml b/playbooks/dna-gw.yml
index e98068c..b63b253 100644
--- a/playbooks/dna-gw.yml
+++ b/playbooks/dna-gw.yml
@@ -70,6 +70,24 @@
         owner: root
         group: "{{ ansible_wheel }}"
 
+    - name: copy dns private key
+      copy:
+        dest: "{{ tls_private }}/dns.home.foo.sh.key"
+        src: /srv/ca/private/dns.home.foo.sh.key
+        mode: 0600
+        owner: root
+        group: "{{ ansible_wheel }}"
+      tags: certificate
+      notify: restart unbound
+    - name: copy dns certificate and ca cert
+      copy:
+        dest: "{{ tls_certs }}/dns.home.foo.sh.crt"
+        src: /srv/ca/certs/dns.home.foo.sh.crt
+        mode: 0644
+        owner: root
+        group: "{{ ansible_wheel }}"
+      tags: certificate
+      notify: restart unbound
     - name: copy dns zone files
       copy:
         dest: "/var/unbound/db/{{ item }}"
diff --git a/roles/pf/files/pf.conf.gw_home b/roles/pf/files/pf.conf.gw_home
index 89f0a92..58053d0 100644
--- a/roles/pf/files/pf.conf.gw_home
+++ b/roles/pf/files/pf.conf.gw_home
@@ -50,6 +50,7 @@ pass in quick on $int_if proto tcp from $int_net to self port 4949
 
 # allow dns queries from internal net
 pass in quick on $int_if proto { tcp, udp } from $int_net to self port domain
+pass in quick on $int_if proto tcp from $int_net to self port domain-s
 
 # allow tftp from internal net
 pass in quick on $int_if proto udp from $int_net to self port tftp
diff --git a/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2
index b905382..85318f6 100644
--- a/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2
+++ b/roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2
@@ -2,9 +2,13 @@
 server:
     interface: 127.0.0.1
     interface: ::1
-    interface: 172.20.20.10
-    interface: 172.20.21.1
+    interface: 172.20.20.10@53
+    interface: 172.20.20.10@853
+    interface: 172.20.21.1@53
 
+    tls-service-key: {{ tls_private }}/dns.home.foo.sh.key
+    tls-service-pem: {{ tls_certs }}/dns.home.foo.sh.crt
+    tls-cert-bundle: {{ tls_certs }}/ca.crt
 
     access-control: 127.0.0.0/8 allow
     access-control: ::1 allow
diff --git a/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2 b/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2
index 665bdaa..0d9cba9 100644
--- a/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2
+++ b/roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2
@@ -2,9 +2,13 @@
 server:
     interface: 127.0.0.1
     interface: ::1
-    interface: 172.20.20.10
-    interface: 172.20.21.2
+    interface: 172.20.20.10@53
+    interface: 172.20.20.10@853
+    interface: 172.20.21.2@53
 
+    tls-service-key: {{ tls_private }}/dns.home.foo.sh.key
+    tls-service-pem: {{ tls_certs }}/dns.home.foo.sh.crt
+    tls-cert-bundle: {{ tls_certs }}/ca.crt
 
     access-control: 127.0.0.0/8 allow
     access-control: ::1 allow