Maintained by: NLnet Labs

simplest way to forward to diff resolver based on src

Eric Luehrsen
Mon Apr 10 06:36:02 CEST 2017



On 04/10/2017 12:03 AM, Eric Luehrsen wrote:
> On 04/09/2017 10:31 PM, Spike via Unbound-users wrote:
>> Dear all,
>> I have a default unbound instance for the lan and I'd like to add two
>> more specialized ones (python scripting is involved) and direct queries
>> to those depending on client.
>> So all machines get default dns 1.1.1.1, but when queries come in on
>> that machine unbound would look at the src and:
>> - if in range 1.1.1.x just resolve it
>> - if in range 1.1.2.x send it to 1.1.2.1
>> - if in range 1.1.3.x send it to 1.1.2.3
>> I can't see a simple way of doing that, the forward zones seems to be
>> based on destination, not source, and a firewall would involve natting
>> which isn't great.
>> Also caching seems to be an issue, the fw zones are used if a response
>> cannot be found from cache afaik. My scenario requires that requests
>> from ranges 2 and 3 are never cached and requests always forwarded.
>> any common/clean way of doing this?
>> thanks,
>> Spike
>
> Hi Spike
> If you have one subnet 1.1.0.0/16, then it doesn't look supported (even
> looking at dnsmasq as an intermediary). Usually the kind of access
> control I'd imply from your question is done with subnets. Isolation is
> often done for other reasons. If you have three subnets (and VLAN)
> 1.1.1.0/24, 1.1.2.0/24, and 1.1.3.0/24, then you can have three unique
> Unbound instances. Each only listens on one interface respective of the
> subnet. If they need to share local DNS, then you can add the necessary
> forward clauses.

There may be another way. Its a bit tricky and I don't know the 
pitfalls. Unbound views and tags are new. You would 4 need Unbound 
instances. The first instance would forward _ALL_ DNS zones to a dummy 
forward host name. You can define that host name local data under tags 
or views. The tags or views associate with query address. 3 other 
Unbound instances would do the real work, only listening on unusual 
local host addresses (127.0.1.1, 127.0.1.2, 127.0.1.3).

# example leading dummy instance
server:
   define-tags: "group1 group2 group3"
   access-control-view: 1.1.1.0/24 group1
   access-control-view: 1.1.2.0/24 group2
   access-control-view: 1.1.3.0/24 group3

view:
   name: group1
   local-zone: example.com transparent
   local-data: "ghost-ns.example.com. 3600 IN A 127.0.1.1"

view:
   name: group2
   local-zone: example.com transparent
   local-data: "ghost-ns.example.com. 3600 IN A 127.0.1.2"

view:
   name: group3
   local-zone: example.com transparent
   local-data: "ghost-ns.example.com. 3600 IN A 127.0.1.3"

# This _ALL_ zone forward host will resolve respective of view
forward:
   name: "."
   forward-host: "ghost-ns.example.com"