Maintained by: NLnet Labs

simplest way to forward to diff resolver based on src

Eric Luehrsen
Mon Apr 10 06:03:05 CEST 2017


On 04/09/2017 10:31 PM, Spike via Unbound-users wrote:
> Dear all,
> I have a default unbound instance for the lan and I'd like to add two
> more specialized ones (python scripting is involved) and direct queries
> to those depending on client.
> So all machines get default dns 1.1.1.1, but when queries come in on
> that machine unbound would look at the src and:
> - if in range 1.1.1.x just resolve it
> - if in range 1.1.2.x send it to 1.1.2.1
> - if in range 1.1.3.x send it to 1.1.2.3
> I can't see a simple way of doing that, the forward zones seems to be
> based on destination, not source, and a firewall would involve natting
> which isn't great.
> Also caching seems to be an issue, the fw zones are used if a response
> cannot be found from cache afaik. My scenario requires that requests
> from ranges 2 and 3 are never cached and requests always forwarded.
> any common/clean way of doing this?
> thanks,
> Spike

Hi Spike
If you have one subnet 1.1.0.0/16, then it doesn't look supported (even 
looking at dnsmasq as an intermediary). Usually the kind of access 
control I'd imply from your question is done with subnets. Isolation is 
often done for other reasons. If you have three subnets (and VLAN) 
1.1.1.0/24, 1.1.2.0/24, and 1.1.3.0/24, then you can have three unique 
Unbound instances. Each only listens on one interface respective of the 
subnet. If they need to share local DNS, then you can add the necessary 
forward clauses.

#example
server:
  # serve only subnet3
  interface: 1.1.3.1 at 53
  # accept forward from Unbound-subnet2 and Unbound-subnet1
  interface: 127.0.0.1 at 5303

# Get local DNS about subnet2
forward:
   name: "subnet2.example.com."
   forward-addr: 127.0.0.1 at 5302

forward:
   name: "2.1.1.in-addr.arpa."
   forward-addr: 127.0.0.1 at 5302

-Eric