Update to 2021-12-01 19:13

roles/dnscache/defaults/main.yml

@@ -0,0 +1,71 @@
+---
+
+# IP allowed in the firewall
+dnscache_src_ip: []
+
+# IP on which we bind
+dnscache_ip: 127.0.0.1
+
+# If we want to delegate only some zones
+#dnscache_forwarded_zones:
+#  - zone: firewall-services.com
+#    servers:
+#      - 192.168.133.254
+#  - zone: 133.168.192.in-addr.arpa
+#    servers:
+#      - 192.168.133.254
+
+dnscache_forwarded_zones:
+  - zone: letsencrypt.org
+    servers:
+      - 80.67.169.12
+      - 80.67.169.40
+  - zone: api.letsencrypt.org
+    servers:
+      - 80.67.169.12
+      - 80.67.169.40
+  - zone: edgekey.net
+    servers:
+      - 80.67.169.12
+      - 80.67.169.40
+  - zone: akamaiedge.net
+    servers:
+      - 80.67.169.12
+      - 80.67.169.40
+  - zone: akamaized.net
+    servers:
+      - 80.67.169.12
+      - 80.67.169.40
+  - zone: akamai.net
+    servers:
+      - 80.67.169.12
+      - 80.67.169.40
+
+# Root server list. If dnscache_forward_only is True, should be a list
+# of server to which we forward queries instead of root servers
+dnscache_roots:
+  - 128.63.2.53
+  - 192.112.36.4
+  - 192.203.230.10
+  - 192.228.79.201
+  - 192.33.4.12
+  - 192.36.148.17
+  - 192.5.5.241
+  - 192.58.128.30
+  - 193.0.14.129
+  - 198.41.0.4
+  - 199.7.83.42
+  - 199.7.91.13
+  - 202.12.27.33
+
+# Do we act as a resolver or a simple forwarder
+dnscache_forward_only: False
+
+# Data and Cache sizes. Cache should not exceed data
+dnscache_data_limit: 12000000
+dnscache_cache_size: 10000000
+
+# Account under which we run. Default to daemons
+dnscache_uid: 2
+dnscache_gid: 2
+

roles/dnscache/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+- name: restart dnscache
+  service: name=dnscache state=restarted enabled=yes
+...

roles/dnscache/tasks/main.yml

@@ -0,0 +1,53 @@
+---
+
+- name: Install packages
+  yum:
+    name:
+      - ndjbdns
+
+- name: Deploy dnscache config
+  template: src={{ item.src }} dest={{ item.dest }}
+  with_items:
+    - { src: dnscache.conf.j2, dest: /etc/ndjbdns/dnscache.conf }
+    - { src: roots.j2,         dest: /etc/ndjbdns/servers/roots }
+  notify: restart dnscache
+
+- name: Handle DNS port
+  iptables_raw:
+    name=dnscache_ports
+    state={{ (dnscache_src_ip | length > 0) | ternary('present','absent') }}
+    rules='-A INPUT -m state --state NEW -p udp -m multiport --dports 53 -s {{ dnscache_src_ip | join(',') }} -j ACCEPT'
+  when: iptables_manage | default(True)
+
+- name: Allow queries
+  copy:
+    content: ""
+    dest: /etc/ndjbdns/ip/0
+    force: no
+    group: root
+    owner: root
+    mode: 0644
+  notify: restart dnscache
+
+- name: List forwarded zones
+  shell: ls -1 /etc/ndjbdns/servers/ | xargs -n1 basename | grep -vP '^roots$' | cat
+  register: dnscache_fwd_zones
+  changed_when: False
+
+- name: Remove unmanaged forwarded zones
+  file: path=/etc/ndjbdns/servers/{{ item }} state=absent
+  with_items: "{{ dnscache_fwd_zones.stdout_lines | default([]) }}"
+  when: item not in dnscache_forwarded_zones | map(attribute='zone')
+
+- name: Deploy forwarded zones
+  copy:
+    content: "{{ item.servers | default([]) | join(\"\n\") }}"
+    dest: /etc/ndjbdns/servers/{{ item.zone }}
+  with_items: "{{ dnscache_forwarded_zones }}"
+  when: dnscache_forwarded_zones is defined and dnscache_forwarded_zones | length > 0
+  notify: restart dnscache
+
+- name: Start and enable the service
+  service: name=dnscache state=started enabled=yes
+
+...

roles/dnscache/templates/dnscache.conf.j2

@@ -0,0 +1,10 @@
+DATALIMIT={{ dnscache_data_limit }}
+CACHESIZE={{ dnscache_cache_size }}
+IP={{ dnscache_ip }}
+IPSEND=0.0.0.0
+UID={{ dnscache_uid }}
+GID={{ dnscache_gid }}
+ROOT=/etc/ndjbdns
+HIDETTL=
+FORWARDONLY={{ dnscache_forward_only | ternary('1','') }}
+DEBUG_LEVEL=1

roles/dnscache/templates/roots.j2

@@ -0,0 +1,3 @@
+{% for server in dnscache_roots %}
+{{ server }}
+{% endfor %}