Maintained by: NLnet Labs

Restrict forward-zones access

Thu Nov 12 17:52:06 CET 2015


   AFAIK Unbound has no such complicated access control facilities.

   If you are run Unbound on Linux, you can block a packet
which contains specific string by Netfilter. For example
this iptables rule drops UDP queres for "example.local"
which is not originated by clients:

  iptables -A INPUT -p udp --dport 53 \! -s -m string
--algo bm --from 40 --icase --hex-string "|07|example|05|local|00|" -j

But this rule can't control TCP or IP-fragmented UDP queries.
(It is difficult to classify these queries by this method.)

 Daisuke HIGASHI

2015-11-12 23:39 GMT+09:00 Charles-antoine Guillat-Guignard via
Unbound-users <unbound-users at>:
> Hello,
> I am looking for a way to restrict the clients to which Unbound should
> answer on a specific domain. For instance, answer to ranges defined by
> the RFC1918 in general, but only allow access to example.local for the
> clients in the range.