Maintained by: NLnet Labs

Restrict forward-zones access

Charles-antoine Guillat-Guignard
Fri Nov 13 12:37:37 CET 2015


Hello,

Yes, I already considered using Netfilter, but data inspection price
seems too high on latency and qps capacity.

Well, I will check which way is less impacting (multiple instances or
filtering).

Thank you for your time and for the feedback.

Regards

Charles-Antoine Guillat-Guignard


Le 12/11/2015 17:52, Daisuke HIGASHI a écrit :
> Hi,
> 
>    AFAIK Unbound has no such complicated access control facilities.
> 
>    If you are run Unbound on Linux, you can block a packet
> which contains specific string by Netfilter. For example
> this iptables rule drops UDP queres for "example.local"
> which is not originated by 10.0.0.0/8 clients:
> 
>   iptables -A INPUT -p udp --dport 53 \! -s 10.0.0.0/8 -m string
> --algo bm --from 40 --icase --hex-string "|07|example|05|local|00|" -j
> DROP
> 
> But this rule can't control TCP or IP-fragmented UDP queries.
> (It is difficult to classify these queries by this method.)
> 
> Regards,
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: OpenPGP digital signature
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20151113/cda3020b/attachment.sig>