diff --git a/roles/configure-unbound/README.rst b/roles/configure-unbound/README.rst
new file mode 100644
index 00000000..039533e3
--- /dev/null
+++ b/roles/configure-unbound/README.rst
@@ -0,0 +1,27 @@
+An ansible role to dynamically configure DNS forwarders for the
+``unbound`` caching service. IPv6 will be preferred when there is a
+usable IPv6 default route, otherwise IPv4.
+
+.. note:: This is not a standalone unbound configuration role. Base
+ setup is done during image builds in
+ ``project-config:nodepool/elements/nodepool-base/finalise.d/89-unbound``;
+ here we just do dynamic configuration of forwarders based on
+ the interfaces available on the actual host.
+
+**Role Variables**
+
+.. zuul:rolevar:: primary_nameserver_v4
+
+ The primary IPv4 nameserver for fowarding requests
+
+.. zuul:rolevar:: primary_nameserver_v6
+
+ The primary IPv6 nameserver for fowarding requests
+
+.. zuul:rolevar:: secondary_nameserver_v4
+
+ The secondary IPv4 nameserver for fowarding requests
+
+.. zuul:rolevar:: secondary_nameserver_v6
+
+ The seconary IPv6 nameserver for fowarding requests
diff --git a/roles/configure-unbound/defaults/main.yaml b/roles/configure-unbound/defaults/main.yaml
new file mode 100644
index 00000000..d0228620
--- /dev/null
+++ b/roles/configure-unbound/defaults/main.yaml
@@ -0,0 +1,7 @@
+# OpenDNS
+primary_nameserver_v6: "2620:0:ccc::2"
+primary_nameserver_v4: "208.67.222.222"
+
+# Google
+secondary_nameserver_v6: "2001:4860:4860::8888"
+secondary_nameserver_v4: "8.8.8.8"
diff --git a/roles/configure-unbound/tasks/main.yaml b/roles/configure-unbound/tasks/main.yaml
new file mode 100644
index 00000000..5c2c0f5f
--- /dev/null
+++ b/roles/configure-unbound/tasks/main.yaml
@@ -0,0 +1,43 @@
+- name: Ensure /etc/unbound exists
+ become: yes
+ file:
+ path: /etc/unbound
+ state: directory
+ owner: root
+ group: root
+ mode: 0755
+
+# Use *only* ipv6 resolvers if ipv6 is present and routable
+# (ansible_default_ipv6 should only be defined for a global, routable
+# address). This avoids traversing potential NAT when using ipv4 which
+# can be unreliable.
+- name: Set IPv6 nameservers
+ when: ansible_default_ipv6.address is defined
+ set_fact:
+ primary_nameserver: '{{ primary_nameserver_v6 }}'
+ secondary_nameserver: '{{ secondary_nameserver_v6 }}'
+
+# Fallback to default ipv4 if there is no ipv6 available as this
+# causes timeouts and failovers that are unnecesary.
+- name: Set IPv4 nameservers
+ when:
+ - ansible_default_ipv6.address is not defined
+ set_fact:
+ primary_nameserver: '{{ primary_nameserver_v4 }}'
+ secondary_nameserver: '{{ secondary_nameserver_v4 }}'
+
+- name: Configure unbound fowarding
+ become: yes
+ template:
+ dest: '/etc/unbound/forwarding.conf'
+ owner: root
+ group: root
+ mode: 0644
+ src: forwarding.conf.j2
+
+- name: restart unbound
+ become: yes
+ service:
+ name: unbound
+ state: restarted
+ enabled: yes
diff --git a/roles/configure-unbound/templates/forwarding.conf.j2 b/roles/configure-unbound/templates/forwarding.conf.j2
new file mode 100644
index 00000000..9b0a1717
--- /dev/null
+++ b/roles/configure-unbound/templates/forwarding.conf.j2
@@ -0,0 +1,6 @@
+# {{ ansible_managed }}
+
+forward-zone:
+ name: "."
+ forward-addr: {{ primary_nameserver }}
+ forward-addr: {{ secondary_nameserver }}
diff --git a/tests/base.yaml b/tests/base.yaml
index e0213c31..ee9eef4f 100644
--- a/tests/base.yaml
+++ b/tests/base.yaml
@@ -1,4 +1,4 @@
# Roles that are part of the 'base' job
-
+- include: configure-unbound.yaml
- include: mirror-info.yaml
- include: configure-mirrors.yaml
diff --git a/tests/configure-unbound.yaml b/tests/configure-unbound.yaml
new file mode 100644
index 00000000..86fb5303
--- /dev/null
+++ b/tests/configure-unbound.yaml
@@ -0,0 +1,13 @@
+- name: Test the configure-unbound role
+ hosts: all
+ roles:
+ - role: configure-unbound
+ post_tasks:
+ - name: Check for /etc/unbound/forwarding.conf
+ stat: path=/etc/unbound/forwarding.conf
+ register: f
+ - name: Check forwarding file
+ assert:
+ that:
+ - f.stat.exists
+ - f.stat.isreg