Maintained by: NLnet Labs

Fwd: DNS Filter

Tom Hendrikx
Wed Dec 14 23:15:53 CET 2016


On 14-12-16 22:53, Matt Nelson via Unbound-users wrote:
> I'm currently building a DNS filtering service using Unbound and a
> Python module. My service should only respond to IP addresses that are
> listed in a database; these can be added dynamically. Is there a way of
> existing out of the python module so that nothing is sent back to the
> client if their IP isn't in the list?
> 
> I have already got the users IP address, and have written some code to
> check it against the databse. My issue is that if the IP doens't exit
> then all I can do is set "qstate.ext_state[id] = MODULE_ERROR" which
> will return a "status: SERVFAIL". Is there a way of returning nothing at
> all?
> 

Could you describe the application of your request a bid more broadly?
What is the problem you are trying to solve?

From what you're telling us right now, Id gather that you have a dynamic
list of clients that you want allow talking to unbound while  denying
everybody else, and managing 'access-control' statements in unbound.conf
is too cumbersome.

Sounds like you want a cron job plus ipset/iptables, custom python code
for unbound is the wrong tool for the job.

Kind regards,
	Tom

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20161214/703403f1/attachment.sig>