Maintained by: NLnet Labs

Whitelisting with local-zone + forwarding to local dns server

W.C.A. Wijngaards
Mon May 29 14:01:25 CEST 2017


Hi, P T,

On 26/05/17 18:00, P T via Unbound-users wrote:
> Hey guys, was wondering if you could help me figure out how to configure
> unbound.
> 
> I would like to setup whitelisting. There was a post which recommended
> doing the following:
> 
> ----
> 
> local-zone: "." static
> 
> local-zone: "gooddomain.com <http://gooddomain.com/>" transparent
> local-zone: "anothergooddomain.com <http://anothergooddomain.com/>"
> transparent
> 
> ----
> 
> That works fine. But what I also want to do is the following:
> 
> ----
> 
> forward-zone:
>   name: "my.local.zone"
>   forward-addr: 172.16.16.1
> 
> ----
> 
> When querying for a record in my.local.zone, I get NXDOMAIN, as if I
> failed the whitelist "check". So it seems like the catch-all "." line in
> local-zone is being evaluated before forward-zone.

Yes local-zones are evaluated before forward-zones and stub-zones.  This
feature is on purpose, to filter downstream queries before it reaches
the state machine in unbound.

What I think you want is to add a local-zone: "my.local.zone"
transparent statement.  So have a forward-zone and also a local-zone for
my.local.zone.  The local-zone allows it to bypass your whitelisting
check.  The forward-zone entry configures where queries are sent when
the query reaches that stage in the state-machine code.

> 
> Is there any way around this? If not, is there another way to do
> whitelisting?

In new versions there is access-control-tag, access-control-view, where
you can conditionalize the local-zone filter to the IP-address of the
client.  Or local-zone-override that also evaluates the IP-address to
change a local-zone, and overrides the previous mechanisms.

The configuration of ratelimit-for-domain could be used to filter
queries (it is evaluated after local-zones, and after forward-zones, so
more state-machine effort is spent, so I wouldn't advise it).  But it is
really meant for ratelimiting, of course.

Best regards, Wouter


> 
> Thanks for any help!


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20170529/e73d0902/attachment.sig>