Enable DNS over TLS support for local resolvers
Currently uses local CA.
This commit is contained in:
parent
581484d207
commit
8bdf278ea6
4 changed files with 31 additions and 4 deletions
|
|
@ -70,6 +70,24 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: "{{ ansible_wheel }}"
|
group: "{{ ansible_wheel }}"
|
||||||
|
|
||||||
|
- name: copy dns private key
|
||||||
|
copy:
|
||||||
|
dest: "{{ tls_private }}/dns.home.foo.sh.key"
|
||||||
|
src: /srv/ca/private/dns.home.foo.sh.key
|
||||||
|
mode: 0600
|
||||||
|
owner: root
|
||||||
|
group: "{{ ansible_wheel }}"
|
||||||
|
tags: certificate
|
||||||
|
notify: restart unbound
|
||||||
|
- name: copy dns certificate and ca cert
|
||||||
|
copy:
|
||||||
|
dest: "{{ tls_certs }}/dns.home.foo.sh.crt"
|
||||||
|
src: /srv/ca/certs/dns.home.foo.sh.crt
|
||||||
|
mode: 0644
|
||||||
|
owner: root
|
||||||
|
group: "{{ ansible_wheel }}"
|
||||||
|
tags: certificate
|
||||||
|
notify: restart unbound
|
||||||
- name: copy dns zone files
|
- name: copy dns zone files
|
||||||
copy:
|
copy:
|
||||||
dest: "/var/unbound/db/{{ item }}"
|
dest: "/var/unbound/db/{{ item }}"
|
||||||
|
|
|
||||||
|
|
@ -50,6 +50,7 @@ pass in quick on $int_if proto tcp from $int_net to self port 4949
|
||||||
|
|
||||||
# allow dns queries from internal net
|
# allow dns queries from internal net
|
||||||
pass in quick on $int_if proto { tcp, udp } from $int_net to self port domain
|
pass in quick on $int_if proto { tcp, udp } from $int_net to self port domain
|
||||||
|
pass in quick on $int_if proto tcp from $int_net to self port domain-s
|
||||||
|
|
||||||
# allow tftp from internal net
|
# allow tftp from internal net
|
||||||
pass in quick on $int_if proto udp from $int_net to self port tftp
|
pass in quick on $int_if proto udp from $int_net to self port tftp
|
||||||
|
|
|
||||||
|
|
@ -2,9 +2,13 @@
|
||||||
server:
|
server:
|
||||||
interface: 127.0.0.1
|
interface: 127.0.0.1
|
||||||
interface: ::1
|
interface: ::1
|
||||||
interface: 172.20.20.10
|
interface: 172.20.20.10@53
|
||||||
interface: 172.20.21.1
|
interface: 172.20.20.10@853
|
||||||
|
interface: 172.20.21.1@53
|
||||||
|
|
||||||
|
tls-service-key: {{ tls_private }}/dns.home.foo.sh.key
|
||||||
|
tls-service-pem: {{ tls_certs }}/dns.home.foo.sh.crt
|
||||||
|
tls-cert-bundle: {{ tls_certs }}/ca.crt
|
||||||
|
|
||||||
access-control: 127.0.0.0/8 allow
|
access-control: 127.0.0.0/8 allow
|
||||||
access-control: ::1 allow
|
access-control: ::1 allow
|
||||||
|
|
|
||||||
|
|
@ -2,9 +2,13 @@
|
||||||
server:
|
server:
|
||||||
interface: 127.0.0.1
|
interface: 127.0.0.1
|
||||||
interface: ::1
|
interface: ::1
|
||||||
interface: 172.20.20.10
|
interface: 172.20.20.10@53
|
||||||
interface: 172.20.21.2
|
interface: 172.20.20.10@853
|
||||||
|
interface: 172.20.21.2@53
|
||||||
|
|
||||||
|
tls-service-key: {{ tls_private }}/dns.home.foo.sh.key
|
||||||
|
tls-service-pem: {{ tls_certs }}/dns.home.foo.sh.crt
|
||||||
|
tls-cert-bundle: {{ tls_certs }}/ca.crt
|
||||||
|
|
||||||
access-control: 127.0.0.0/8 allow
|
access-control: 127.0.0.0/8 allow
|
||||||
access-control: ::1 allow
|
access-control: ::1 allow
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue