-
Notifications
You must be signed in to change notification settings - Fork 52
pfsense_dns_resolver
Orion Poplawski edited this page Jan 3, 2024
·
1 revision
Manage pfSense DNS resolver (unbound) settings
ADDED IN: version 0.6.0 of pfsensible.core
OPTIONS (= is mandatory):
- active_interface
Interface IPs used by the DNS Resolver for responding to
queries from clients.
default: [all]
elements: str
type: list
- cache_max_ttl
The Maximum Time to Live (in seconds) for RRsets and messages
in the cache.
default: 86400
type: int
- cache_min_ttl
The Minimum Time to Live (in seconds) for RRsets and messages
in the cache.
default: 0
type: int
- custom_options
additional configuration parameters
default: ''
type: str
- dnssec
Enable DNSSEC Support
default: false
type: bool
- dnssecstripped
If enabled, DNSSEC data is required for trust-anchored zones.
default: true
type: bool
- domainoverrides
Domains for which the resolver's standard DNS lookup should be
overridden.
default: null
elements: dict
type: list
SUBOPTIONS:
- descr
A description may be entered here for administrative
reference.
default: null
type: str
= domain
Domain whose lookups will be directed to a user-specified
DNS lookup server.
type: str
- forward_tls_upstream
Use SSL/TLS for DNS Queries forwarded to this server
default: ''
type: str
= ip
IPv4 or IPv6 address of the authoritative DNS server for
this domain.
type: str
- tls_hostname
An optional TLS hostname used to verify the server
certificate when performing TLS Queries.
default: ''
type: str
- edns_buffer_size
Number of bytes to advertise as the EDNS reassembly buffer
size.
choices: [auto, '512', '1220', '1232', '1432', '1480', '4096']
default: auto
type: str
- enablessl
Enable SSL/TLS Service
default: false
type: bool
- forward_tls_upstream
Use SSL/TLS for DNS Query Forwarding.
default: false
type: bool
- forwarding
DNS Query Forwarding.
default: false
type: bool
- hideidentity
id.server and hostname.bind queries are refused.
default: true
type: bool
- hideversion
version.server and version.bind queries are refused.
default: true
type: bool
- hosts
Individual hosts for which the resolver's standard DNS lookup
should be overridden.
default: []
elements: dict
type: list
SUBOPTIONS:
- aliases
Additional names for this host.
default: []
elements: dict
type: list
SUBOPTIONS:
= description
A description may be entered here for administrative
reference.
type: str
= domain
Parent domain of the host.
type: str
= host
Name of the host, without the domain part.
type: str
- descr
A description may be entered here for administrative
reference.
default: ''
type: str
= domain
Parent domain of the host.
type: str
= host
Name of the host, without the domain part.
type: str
= ip
IPv4 or IPv6 comma-separated addresses to be returned for
the host
type: str
- incoming_num_tcp
Number of incoming TCP buffers to allocate per thread.
choices: [0, 10, 20, 30, 50]
default: 10
type: int
- infra_cache_numhosts
Number of infrastructure hosts for which information is
cached.
choices: [1000, 5000, 10000, 20000, 50000, 100000, 200000]
default: 10000
type: int
- infra_host_ttl
Time to Live, in seconds, for entries in the infrastructure
host cache.
choices: [60, 120, 300, 600, 900]
default: 900
type: int
- jostle_timeout
This timeout (in milliseconds) is used for when the server is
very busy.
choices: [100, 200, 500, 1000]
default: 200
type: int
- log_verbosity
The level of detail to be logged.
choices: [0, 1, 2, 3, 4, 5]
default: 1
type: int
- msgcachesize
Message cache size in MB
choices: [4, 10, 20, 50, 100, 250, 512]
default: 4
type: int
- num_queries_per_thread
Number of queries that every thread will service
simultaneously.
choices: [512, 1024, 2048]
default: 512
type: int
- outgoing_interface
Utilize different network interface(s) that the DNS Resolver
will use to send queries to authoritative servers and receive
their replies.
default: [all]
elements: str
type: list
- outgoing_num_tcp
Number of outgoing TCP buffers to allocate per thread.
choices: [0, 10, 20, 30, 50]
default: 10
type: int
- port
Listen Port
default: null
type: int
- prefetch
Message cache elements are prefetched before they expire to
help keep the cache up to date.
default: false
type: bool
- prefetchkey
DNSKEYs are fetched earlier in the validation process when a
Delegation signer is encountered.
default: false
type: bool
- regdhcp
Register DHCP leases in the DNS Resolver
default: false
type: bool
- regdhcpstatic
Register DHCP static mappings in the DNS Resolver
default: false
type: bool
- regovpnclients
Register OpenVPN clients in the DNS Resolver
default: false
type: bool
- sslcert
Description of the server certificate to use for SSL/TLS
service.
default: ''
type: str
- state
Enable/Disable DNS Resolver
choices: [present, absent]
default: present
type: str
- system_domain_local_zone_type
The local-zone type used for the pfSense system domain.
choices: [deny, refuse, static, transparent, typetransparent, redirect, inform, inform_deny,
nodefault]
default: transparent
type: str
- tlsport
SSL/TLS Listen Port
default: null
type: int
- unwanted_reply_threshold
If enabled, a total number of unwanted replies is kept track
of in every thread.
choices: [disabled, '5000000', '10000000', '20000000', '40000000', '50000000']
default: disabled
type: str
AUTHOR: Chris liu (@chris-cyliu), Daniel Huss (@danhuss)
METADATA:
metadata_version: '1.1'
status:
- preview
supported_by: community
EXAMPLES:
- name: Enable DNS Resolver
pfsense_dns_resolver:
state: present
- name: Enable DNS Resolver with some options
pfsense_dns_resolver:
state: present
enablessl: true
sslcert: "webConfigurator default"
dnssec: true
regdhcp: true
regdhcpstatic: true
hosts:
- { host: test, domain: home.local, ip: 192.168.1.100, descr: "Example host override",
aliases: [{ host: test-admin, domain: home.local, description: "Example aliases" }] }
- name: Disable DNS Resolver
pfsense_dns_resolver:
state: absent