Maintained by: NLnet Labs

Restrict forward-zones access

Daisuke HIGASHI
Thu Nov 12 17:52:06 CET 2015


Hi,

   AFAIK Unbound has no such complicated access control facilities.

   If you are run Unbound on Linux, you can block a packet
which contains specific string by Netfilter. For example
this iptables rule drops UDP queres for "example.local"
which is not originated by 10.0.0.0/8 clients:

  iptables -A INPUT -p udp --dport 53 \! -s 10.0.0.0/8 -m string
--algo bm --from 40 --icase --hex-string "|07|example|05|local|00|" -j
DROP

But this rule can't control TCP or IP-fragmented UDP queries.
(It is difficult to classify these queries by this method.)

Regards,
-- 
 Daisuke HIGASHI


2015-11-12 23:39 GMT+09:00 Charles-antoine Guillat-Guignard via
Unbound-users <unbound-users at unbound.net>:
> Hello,
>
> I am looking for a way to restrict the clients to which Unbound should
> answer on a specific domain. For instance, answer to ranges defined by
> the RFC1918 in general, but only allow access to example.local for the
> clients in the 10.0.0.0/8 range.