support forwarding LAN zones to local LAN DNS

With this option enabled, if you connect to a local network which claims
to serve DNS for `mycorp.com`, unbound will forward DNS requests for
that domain to the local network DNS resolver.

If you connect to a local network which claims to serve DNS for a domain
like `mynetwork.lan` or `local.mesh`, and you have those domains
whitelisted in the `unbound.private_domains` var, you will be able to
successfully resolve those hostnames.

The `private_interfaces` option prevents forwarding the root zone to the
local network resolver. If the network claims to provide DNS for
`mycorp.com` and everything else, requests for `mycorp.com` will go to
the network's resolver, but requests for every other domain will still go
through unbound to the nameservers specified in the
`unbound.nameservers` var.

group_vars/all

@@ -155,6 +155,7 @@ unbound:
         - lan
         - mesh
         - private
+    allow_lan_dns: True
 
 bluetooth:
     disable: False

roles/openresolv/templates/resolvconf.conf.j2

@@ -2,4 +2,11 @@
 # See resolvconf.conf(5) for details
 
 resolv_conf=/etc/resolv.conf
-{% if unbound %}name_servers=127.0.0.1{% endif %}
+
+{% if unbound %}
+name_servers=127.0.0.1
+{% if unbound.allow_lan_dns %}
+unbound_conf=/etc/unbound/resolvconf.conf
+private_interfaces="*"
+{% endif %}
+{% endif %}

roles/unbound/templates/unbound.conf.j2

@@ -1,3 +1,6 @@
+{% if unbound.allow_lan_dns %}include: "/etc/unbound/resolvconf.conf"
+{% endif %}
+
 server:
   interface: 127.0.0.1
   use-syslog: yes