Create overrides for unbound blocking. Locations come from Guardian

edwinsteele · edwinsteele · commit d09dad7b8db3 · 2020-01-05T07:36:44.000+11:00
diff --git a/ansible/roles/firewall/files/unbound-default-adhosts.conf b/ansible/roles/firewall/files/unbound-default-adhosts.conf
@@ -0,0 +1,6 @@
+local-zone: "jado.iad.appboy.com" redirect
+local-data: "jado.iad.appboy.com A 0.0.0.0"   # Braze
+local-zone: "sdk.iad-03.braze.com" redirect
+local-data: "sdk.iad-03.braze.com A 0.0.0.0"
+local-zone: "mobile-collector.newrelic.com" redirect
+local-data: "mobile-collector.newrelic.com A 0.0.0.0"
diff --git a/ansible/roles/firewall/tasks/main.yml b/ansible/roles/firewall/tasks/main.yml
@@ -34,6 +34,15 @@
     mode: 0644
   notify: Restart unbound
 
+- name: Copy default ad blocking config
+  copy:
+    src: unbound-default-adhosts.conf
+    dest: /var/unbound/etc/unbound-default-adhosts.conf
+    owner: root
+    group: wheel
+    mode: 0644
+  notify: Restart unbound
+
 - name: Copy script to populate ad blocking config
   copy:
     src: generate_unbound_ads_conf.sh
diff --git a/ansible/roles/firewall/templates/unbound_conf.j2 b/ansible/roles/firewall/templates/unbound_conf.j2
@@ -13,6 +13,7 @@ server:
 # Enable dnssec
 auto-trust-anchor-file: "/db/root.key"
 
+include: /var/unbound/etc/unbound-default-adhosts.conf
 include: /var/unbound/etc/unbound-adhosts.conf
 include: /var/unbound/etc/unbound-local-data.conf
 
