Maintained by: NLnet Labs

Query Cache

Matt Nelson
Tue Feb 7 10:28:46 CET 2017


Hi Phil, 

Thanks for the update. That's an interesting idea, I've had a good read
around and I'm not sure if the view will work in our scenario (maybe I
haven't understood them properly!). 

We will have a large number of Clients, Locations and IP addresses and
we also have multiple Unbound servers in different datacenters. The
servers share data using a MariaDB Galeria Cluster. Client access is
currently controlled using the firewalls on the servers, if a client
adds a new location and IP address (using the web control panel) it's
pushed into a firewall zone using the firewalld python module. The
python module is filtering the requests based on the location and rule
set that the client has set in the admin area, so they can filter
categories of sites from over 4 million sites in the DB. 

I think the issue may be with my version of Unbound as I've just read
that "qstate.no_cache_store = 1"  was only added in version 1.6.0. I
will build the new version and see if that helps! 

Thanks for the heads up regarding views, I will have a play with them to
see if they make a bit more sense when implemented!

On 07/02/2017 00:21, Phil Pennock wrote:

> On 2017-02-06 at 22:43 +0000, Matt Nelson via Unbound-users wrote: 
> 
>> I have built a DNS filtering service using the pythonmod for unbound.
>> Everything is working as it should apart from the cache. I want to
>> disable the cache completely as I am filtering the results based on the
>> incoming IP address. As an example anyone from 192.168.30.20 can access
>> social media sites, but anyone from 192.168.30.30 is returned the IP
>> address of the server instead which shows a "blocked" message.
> 
> Sounds like you want to be using Views, with a `view:` block which has
> `view-first: yes` set, local-data: in the view providing the IP address
> of the server, and a set of `access-control-view:` directives putting
> individual IPs into that view.
> 
> I'm not seeing anything under
> http://unbound.net/documentation/pythonmod/index.html which shows the
> access-control or view directives being exposed to Python.
> 
> Assuming that the list of IPs is fairly dynamic, have you considered
> using an include directive such as:
> 
> include: "/etc/unbound/python-managed.d/*.conf"
> 
> and then having your Python be a standalone service to
> modify/create/delete one or more files in that directory based upon your
> site integrations, and use unbound-control to
> dump_cache/reload/load_cache ?
> 
> I don't see unbound-control options to directly change
> access-control-view: options without doing a full reload.  :\
> 
> -Phil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20170207/ec119020/attachment.html>