Allowing PTR queries only for specific subnets ?

Nicolas_PILLOT · July 7, 2023, 4:11pm

Hello

We are trying to allow only a specific set of subnets to get reverse answers.

Basically, our typical internal network topology is 10.0.0.0/8, with servers in 10.1.0.0/16 and users in other 10.X/16.

We want to :

allow clients in 10.1.0.0/16 to make PTR requests to Unbound
deny clients from any other network from making PTR requests to Unbound

As we are using stub-zone and forward-zone (as shown below), we cannot use Tags or Views,

and it is explicitly stated in the documentation that it Tags/Views work only on local-zones…

We have not succeeded either, by fiddling with the « in-addr » local-zone in the server block.

Would anyone have some insight as to :

if it is possible at all, with unbound or nsd ?
if so, how do we proceed ?

Thanks in advance

Nicolas

Our unbond+nsd topology is the following with its configuration below :

10.1.1.1 unbound server recursive resolver for everyone (servers and users)
10.1.1.2&3 nds server serving example.com. and 1.1.10.in-addr.arpa

~ > cat /etc/unbound/unbound.conf

server:

verbosity: 0

interface: 10.1.1.1

port: 53

do-ip4: yes

do-ip6: no

do-udp: yes

do-tcp: yes

access-control: 0.0.0.0/0 allow

local-zone: “10.in-addr.arpa.” nodefault

domain-insecure: “*”

use-syslog: yes

log-replies: yes

log-servfail: yes

extended-statistics: yes

statistics-interval: 300

edns-buffer-size: 1472

cache-max-ttl: 600

cache-min-ttl: 300

delay-close: 10000

neg-cache-size: 4M

num-threads: 2

outgoing-range: 950

so-reuseport: yes

serve-expired: no

hide-identity: yes

hide-version: yes

remote-control:

control-enable: yes

control-use-cert: yes

server-key-file: “/etc/unbound/unbound_server.key”

server-cert-file: “/etc/unbound/unbound_server.pem”

control-key-file: “/etc/unbound/unbound_control.key”

control-cert-file: “/etc/unbound/unbound_control.pem”

control-interface: 127.0.0.1

control-port: 8953

stub-zone:

stub-addr: 10.1.1.2@53053

stub-addr: 10.1.1.3@53053

stub-zone:

stub-addr: 10.1.1.2@53053

stub-addr: 10.1.1.3@53053

forward-zone:

stub-addr: 10.1.1.2@53053

stub-addr: 10.1.1.3@53053

Nicolas_PILLOT · July 13, 2023, 8:14am

Hello

Anyone would by chance have any insight on this subject ?

Thanks in advance

Nicolas

Nicolas_PILLOT · July 13, 2023, 8:18am

Hello

Anyone would, by chance, have any insight on this subject ?

We are currently looking at using iptables to filter the queries,
and it is not the most elegant/future-proof/reliable way...

It would be great if we could do the filtering in the application instead !

Thanks in advance for your help
Nicolas

Dr_Praful · July 13, 2023, 8:35am

Can you please give an example how you are currently doing this? And what change you are looking for?

Regards

George_Yorgos_Thessa · July 13, 2023, 8:41am

Hi Nicolas,

The following configuration parts may result in what you need; I haven't tested though:

     server:
         access-control-view: 10.1.0.0/16 allowptr
         access-control-view: 0.0.0.0/0 disallowptr

     view:
         name: allowptr
     view:
         name: disallowptr
         local-zone: in-addr.arpa. refuse
         local-zone: ip6.arpa. refuse

Best regards,
-- Yorgos

hdais · July 13, 2023, 2:50pm

If you need complicated query handling/manipulation/view-like function for Unbound, consider to place dnsdist ( dnsdist.org ) in front of your Unbound instance.

Dnsdist with few lines of Lua script (it also runs LuaJIT) should do what you want.