This cookbook installs Unbound, a validating, recursive, and caching DNS server.
The default configuration provides a simple caching DNS resolver that respects TTL values provided by authoritative nameservers. Advanced configuration enables routing of DNS requests through the use of stub zones and forward zones.
Modify the run_list of any role or node to include the default recipe.
run_list "recipe[pulse_unbound::default]"
Or use include_recipe in one of your own cookbooks.
include_recipe 'pulse_unbound::default'
Unbound is a DNS server that listens on udp/53 and tcp/53. In order to ensure that your servers are not used as part of a DNS Amplification Attack, you must ensure that port 53 (UDP and TCP) on your servers is not reachable from the public internet.
WARNING: Installing Unbound changes your /etc/resolv.conf
configuration. Once Unbound is installed, all DNS queries will be served by Unbound. If Unbound is configured incorrectly, chef-client will be unable to converge. It is a very good idea to test your configuration on a small number of servers first.
Stub zones are appropriate when the other nameserver is an authoritative nameserver, so you have to perform recursive processing yourself. Stub zones enable you to configure split-horizon DNS.
You might want to use a stub zone if you need to resolve names that don't exist in the global namespace of the internet. For example, if you are using Consul for service discovery then you could use Unbound to resolve DNS requests to the Consul agent.
Use override attributes to change the Unbound configuration.
override['pulse_unbound']['stub_zone']['consul'] = {
'stub_addr' => ['172.31.0.2@8600']
}
Need an authoritative DNS server to handle your stub zone? Unbound pairs well with NSD, also from NLnet labs.
Forward zones let you forward queries to some other nameserver. Forward zones are appropriate when the other nameserver is a recursive (caching) resolver that will perform recursion.
Here's how to forward all DNS queries from Unbound to Cisco OpenDNS.
override['pulse_unbound']['forward_zone']['.'] = {
'forward_addr' => ['208.67.222.222', '208.67.220.220']
}
node.override['pulse_unbound']['interface'] = {
'127.0.0.1' => true,
'172.17.0.1' => true,
}
Non-localhost interfaces must be supported by additional access control rules.
node.override['pulse_unbound']['access_control'] = {
'127.0.0.1/8' => 'allow',
'172.16.0.1/16' => 'allow',
}
Author: Nic Waller (nicholas.waller@enernoc.com)