forked from hswaw/hscloud
hswaw/customs: improve unbound config
Change-Id: Ic616033897b87f692ee92a106b417423a09d630b Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1456 Reviewed-by: informatic <informatic@hackerspace.pl>
This commit is contained in:
parent
ee8f1d5e2c
commit
3125aa1186
1 changed files with 24 additions and 4 deletions
|
@ -497,27 +497,47 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
services.unbound = {
|
||||
services.unbound = let
|
||||
local-zones = [ "waw.hackerspace.pl." "api.eye.fi." "api.ustream.tv." "i." ];
|
||||
in {
|
||||
enable = true;
|
||||
|
||||
#enableRootTrustAnchor = false;
|
||||
|
||||
settings = {
|
||||
server = {
|
||||
interface = [
|
||||
networks.lan.ipv4
|
||||
networks.lan.ipv6
|
||||
"127.0.0.1"
|
||||
"::1"
|
||||
# networks.lan.ipv6 TODO
|
||||
];
|
||||
access-control = [
|
||||
"::1/128 allow"
|
||||
"127.0.0.1/8 allow"
|
||||
"10.0.0.0/8 allow"
|
||||
"${networks.lan.ipv6}/64 allow"
|
||||
"${networks.lan.ipv4}/8 allow"
|
||||
];
|
||||
|
||||
# disable DNSSEC on locally resolved domains
|
||||
domain-insecure = local-zones;
|
||||
|
||||
# allow LAN adresses only for local domains
|
||||
private-domain = local-zones;
|
||||
private-address = [
|
||||
"10.0.0.0/8"
|
||||
"${networks.lan.ipv6}/64"
|
||||
];
|
||||
};
|
||||
|
||||
# authoritative DNS servers
|
||||
stub-zone = map (name: {
|
||||
name = name;
|
||||
inherit name;
|
||||
stub-addr = networks.uplink.ipv4;
|
||||
}) [ "waw.hackerspace.pl" "api.eye.fi" "api.ustream.tv" "i" ];
|
||||
}) local-zones;
|
||||
|
||||
# recursive DNS servers
|
||||
forward-zone = {
|
||||
name = ".";
|
||||
forward-addr = "185.236.240.1";
|
||||
|
|
Loading…
Reference in a new issue