Private zone and access control
W.C.A. Wijngaards
wouter at nlnetlabs.nl
Tue Jun 5 07:38:27 UTC 2018
Hi,
On 03/06/18 19:17, Ict Security via Unbound-users wrote:
> Hi all,
>
> i have defined access control for a specific class of IPs and
> everything is working fine, both for recursive and private class
> requests.
>
> Now, i would like to define a static zone and grant everyone (public)
> to query *only* this zone, without allowing to recursion.
Yes there are two access-control types for that from the access-control
statement. The deny_non_local allows requests to local-zones (and
auth-zones with for-downstream: yes) and drops recursion requests. The
refuse_non_local sends an rcode REFUSED message instead of dropping
disallowed requests.
Just set everyone with an access-control statement. Access-control
statements are applied with the most-specific; so that if you give a /8
deny_non_local and another /24 allow; then the /24 is allowed everything
and everyone else only the local-zone and for-downstream auth-zone
information. Or give a /0. You would need a 0.0.0.0/0 for IP4 and a
::0/0 for IP6 to cover everyone. You can also carve out more specific
subnets and disallow with access-control type 'deny' that drops messages
from them.
Note that this would allow access to all the local-zones and auth-zones
for-downstream, and not just that specific zone. Something that you can
fix, in this case, if you want to, by putting the local-zone in a view
for everyone and putting local-zones for the specific group in another
view. And then use the access-control-view statement. Or tag the
local-zone and use the access-control-tag statement.
Best regards, Wouter
>
> Is it possible?
> Thank you
>
> F
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20180605/06e5df01/attachment.bin>
More information about the Unbound-users
mailing list