Maintained by: NLnet Labs

[Unbound-users] Whitelist some domains, blacklist everything else

W.C.A. Wijngaards
Mon May 17 11:05:41 CEST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Carsten,

Not sure if that is a good idea, but unbound can be configured like
that.  Here the local-data config is used (so no need to run another
nameserver).

# this redirects everything to 127.0.0.1
local-zone: "." redirect
local-data: ". IN A 127.0.0.1"

# override for whitelisted domains to resolve normally
local-zone: "google.com" transparent
local-zone: "linux.org" transparent

The local-zone statements are checked and the closest match determines
what happens to the query.

Ondrej suggests to use forward and stub configs, and that works too,
since it also uses the config from the closest match on the query.

Best regards,
   Wouter

On 05/16/2010 06:01 PM, Carsten Krüger wrote:
> Hello,
> 
> is it possible with unbound to allow only lookups on whitelisted
> domains and answer all others with 127.0.0.1 or NXDOMAIN?
> 
> for example (precedence: white is stronger than black)
> blacklist *
> and
> whitelist google.com and linux.org (and subdomains of them).
> 
> The lookups for the whitelisted domains should go external (recursive) and not to
> a local zone file.
> 
> greetings
> Carsten
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkvxBuUACgkQkDLqNwOhpPheFACgogC9Z0FmTy88b+aGbgayMwU7
SI0AoJ9ccWb4EUU3DHM7btw6Y+sOFFOK
=T62j
-----END PGP SIGNATURE-----