Restrict forward-zones access

Charles-antoine_Guil · November 12, 2015, 2:39pm

Hello,

I am looking for a way to restrict the clients to which Unbound should
answer on a specific domain. For instance, answer to ranges defined by
the RFC1918 in general, but only allow access to example.local for the
clients in the 10.0.0.0/8 range.

To be more explicit, the aim is to prevent some clients (although they
are legitimate in the general case, and should be answered for external
domains) to query some internal domain names (private TLD).

If I cannot do anything else, I will go for multiple instances, which is
far from being optimal (would mean more resources, multiple instances of
cached answers, necessity to use mutiple IP addresses,etc...).

Thank you in advance.

Regards,

Charles-Antoine Guillat-Guignard

hdais · November 12, 2015, 4:52pm

Hi,

AFAIK Unbound has no such complicated access control facilities.

If you are run Unbound on Linux, you can block a packet
which contains specific string by Netfilter. For example
this iptables rule drops UDP queres for "example.local"
which is not originated by 10.0.0.0/8 clients:

iptables -A INPUT -p udp --dport 53 \! -s 10.0.0.0/8 -m string
--algo bm --from 40 --icase --hex-string "|07|example|05|local|00|" -j
DROP

But this rule can't control TCP or IP-fragmented UDP queries.
(It is difficult to classify these queries by this method.)

Regards,

Charles-antoine_Guil · November 13, 2015, 11:37am

Hello,

Yes, I already considered using Netfilter, but data inspection price
seems too high on latency and qps capacity.

Well, I will check which way is less impacting (multiple instances or
filtering).

Thank you for your time and for the feedback.

Regards

Charles-Antoine Guillat-Guignard