Maintained by: NLnet Labs

[Unbound-users] Whitelist some domains, blacklist everything else

Ondřej Surý
Sun May 16 19:12:35 CEST 2010


2010/5/16 Alexander E. Patrakov <patrakov at gmail.com>

> 16.05.2010 22:01, Carsten Krüger wrote:
>
>> Hello,
>>
>> is it possible with unbound to allow only lookups on whitelisted
>> domains and answer all others with 127.0.0.1 or NXDOMAIN?
>>
>>
>
> No.
>

Well, I wouldn't be so strict, something like this could probably be done
using forwarding:

name: whitelist1.dom
  forward-addr: 1.2.3.4

name: whitelist2.dom
  forward-addr: 1.2.3.4

name: .
  forward-addr: <ip_of_dummy_nameserver_returning always nxdomain, f.e.
running on 127.0.0.2>

But you are doing it wrong. DNS is a bad place for this kind of filtering.
Implement transparent HTTP proxy with block list or even simple firewall
rules are better. Protection on DNS level is very fragile and probably could
be easily circumvented if not implemented together with strict firewall
rules.

Ondrej
-- 
Ondřej Surý <ondrej at sury.org>
http://blog.rfc1925.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20100516/ccbd7728/attachment.htm>