From 79e940c63100766ef588bf0580bebe510c134a30 Mon Sep 17 00:00:00 2001
From: Pig Monkey <pm@pig-monkey.com>
Date: Wed, 22 Jan 2020 19:13:27 -0800
Subject: [PATCH] support forwarding LAN zones to local LAN DNS

With this option enabled, if you connect to a local network which claims
to serve DNS for `mycorp.com`, unbound will forward DNS requests for
that domain to the local network DNS resolver.

If you connect to a local network which claims to serve DNS for a domain
like `mynetwork.lan` or `local.mesh`, and you have those domains
whitelisted in the `unbound.private_domains` var, you will be able to
successfully resolve those hostnames.

The `private_interfaces` option prevents forwarding the root zone to the
local network resolver. If the network claims to provide DNS for
`mycorp.com` and everything else, requests for `mycorp.com` will go to
the network's resolver, but requests for every other domain will still go
through unbound to the nameservers specified in the
`unbound.nameservers` var.
---
 group_vars/all                                | 1 +
 roles/openresolv/templates/resolvconf.conf.j2 | 9 ++++++++-
 roles/unbound/templates/unbound.conf.j2       | 3 +++
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/group_vars/all b/group_vars/all
index d0032a6..c2048b8 100644
--- a/group_vars/all
+++ b/group_vars/all
@@ -155,6 +155,7 @@ unbound:
         - lan
         - mesh
         - private
+    allow_lan_dns: True
 
 bluetooth:
     disable: False
diff --git a/roles/openresolv/templates/resolvconf.conf.j2 b/roles/openresolv/templates/resolvconf.conf.j2
index 30b7e45..6226015 100644
--- a/roles/openresolv/templates/resolvconf.conf.j2
+++ b/roles/openresolv/templates/resolvconf.conf.j2
@@ -2,4 +2,11 @@
 # See resolvconf.conf(5) for details
 
 resolv_conf=/etc/resolv.conf
-{% if unbound %}name_servers=127.0.0.1{% endif %}
+
+{% if unbound %}
+name_servers=127.0.0.1
+{% if unbound.allow_lan_dns %}
+unbound_conf=/etc/unbound/resolvconf.conf
+private_interfaces="*"
+{% endif %}
+{% endif %}
diff --git a/roles/unbound/templates/unbound.conf.j2 b/roles/unbound/templates/unbound.conf.j2
index a815181..4fabbd1 100644
--- a/roles/unbound/templates/unbound.conf.j2
+++ b/roles/unbound/templates/unbound.conf.j2
@@ -1,3 +1,6 @@
+{% if unbound.allow_lan_dns %}include: "/etc/unbound/resolvconf.conf"
+{% endif %}
+
 server:
   interface: 127.0.0.1
   use-syslog: yes