Maintained by: NLnet Labs

[Unbound-users] unbound + nsd: acl to only allow non-recursive requests?

Jiri Bohac
Mon Feb 10 22:17:55 CET 2014


Hi,

I'm trying to replace my bind server with unbound + nsd.
My DNS server works both as authoritative for a few zones and
also as a recursive resolver for a few subnets.

I configured the domains I want to serve authoritatively as stub
zones in unbound, so that the requests are forwarded to a locally
running nsd on a different port.

I need the server to allow non-recursive queries from anywhere.
I want to allow recursive queries only from specified subnets to
prevent misuse of my server for a DNS amplification attack.

The "access-control:" directive only has these actions:
	refuse
	deny
	allow_snoop -- allows recursive + nonrecursive querues
	allow -- allows recursive queries

I am missing an action to only allow nonrecursive queries.
Then, I could do:

        access-control: 1.2.3.0/24 allow_snoop
	access-control: 0.0.0.0/0 allow_nonrec

to only allow recursive queries from 1.2.3.x and nonrecursive
from anywhere.

What other options do I have?

I'm limited to a single IP address, so I can't run unbound on one
and nsd on another.

The only solution I can think of is using iptables to redirect
the DNS traffic to unbound's port for queries from 1.2.3.0/24 and
to nsd's port for other queries. Makes me sort of uneasy ;)


Would it be a totally stupid thing to implement the allow_nonrec
action for access-control? Any chances of such a patch being
accepted for unbound?

-- 
Jiri Bohac 
e-mail/jabber: jiri at boha.cz