Hi, AFAIK Unbound has no such complicated access control facilities. If you are run Unbound on Linux, you can block a packet which contains specific string by Netfilter. For example this iptables rule drops UDP queres for "example.local" which is not originated by 10.0.0.0/8 clients: iptables -A INPUT -p udp --dport 53 \! -s 10.0.0.0/8 -m string --algo bm --from 40 --icase --hex-string "|07|example|05|local|00|" -j DROP But this rule can't control TCP or IP-fragmented UDP queries. (It is difficult to classify these queries by this method.) Regards, -- Daisuke HIGASHI 2015-11-12 23:39 GMT+09:00 Charles-antoine Guillat-Guignard via Unbound-users <unbound-users at unbound.net>: > Hello, > > I am looking for a way to restrict the clients to which Unbound should > answer on a specific domain. For instance, answer to ranges defined by > the RFC1918 in general, but only allow access to example.local for the > clients in the 10.0.0.0/8 range.