baseline_dnscrypt_proxy¶
The cake function baseline_dnscrypt_proxy installs dnscrypt-proxy, a DNS resolver that sends encrypted queries to compatible DNS providers.
Its purpose is to:
- have internal DNS
- define DNS records for the internal private domain (cus.int) without setting up the records with the actual domain provider
- not rely on the cloud providers DNS system
The dnscrypt-proxy daemon listens on 127.0.0.1:53, which is defined in the servers /etc/resolv.conf file.
Information¶
| Key | Value |
|---|---|
| Playbook path | plays/baseline/dnscrypt-proxy.yml |
| Role | https://git.blunix.com/ansible-roles/role-dnscrypt-proxy |
| Tags | https://git.blunix.com/ansible-roles/role-dnscrypt-proxy/-/tags |
| Defaults | [https://git.blunix.com/ansible-roles/role-dnscrypt-proxy/-/blob/master/defaults/main.yml](https://git.blunix.com/ansible-roles/role-dnscrypt-proxy/-/blob/master/defaul |
| ts/main.yml) |
| Config file | Description |
|---|---|
| /etc/dnscrypt-proxy/dnscrypt-proxy.toml | Main config file |
| /etc/dnscrypt-proxy/cloaking-rules.txt | Contains all internally available domains for the server-to-server mesh and employee VPN |
Example /etc/dnscrypt-proxy/cloaking-rules.txt:
# inventory_hostname
cus-tool-prod-jenkins-1 172.16.16.29
cus-tool-prod-jenkins-1.cus.pm 172.16.16.29
cus-tool-prod-jenkins-1.cus.pub 172.16.16.29
# wg_mesh_aliases
jenkins 172.16.16.29
jenkins.cus.pm 172.16.16.29
jenkins.cus.pub 172.16.16.29
Example¶
Define the internal private and internal public domain for this company:
inventory/group_vars/all.yml:
internal_private_domain: "cus.int"
internal_public_domain: "cus.pub"
Make this group of hosts reachable under the domain "backup", "backup.cus.int" and "backup.cus.pub" (round robin DNS unless host_vars are used)
inventory/group_vars/util_backup.yml:
wg_mesh_aliases:
- backup