Restrict forward-zones access
Daisuke HIGASHI
daisuke.higashi at gmail.com
Thu Nov 12 16:52:06 UTC 2015
Hi,
AFAIK Unbound has no such complicated access control facilities.
If you are run Unbound on Linux, you can block a packet
which contains specific string by Netfilter. For example
this iptables rule drops UDP queres for "example.local"
which is not originated by 10.0.0.0/8 clients:
iptables -A INPUT -p udp --dport 53 \! -s 10.0.0.0/8 -m string
--algo bm --from 40 --icase --hex-string "|07|example|05|local|00|" -j
DROP
But this rule can't control TCP or IP-fragmented UDP queries.
(It is difficult to classify these queries by this method.)
Regards,
--
Daisuke HIGASHI
2015-11-12 23:39 GMT+09:00 Charles-antoine Guillat-Guignard via
Unbound-users <unbound-users at unbound.net>:
> Hello,
>
> I am looking for a way to restrict the clients to which Unbound should
> answer on a specific domain. For instance, answer to ranges defined by
> the RFC1918 in general, but only allow access to example.local for the
> clients in the 10.0.0.0/8 range.
More information about the Unbound-users
mailing list