Hey guys, was wondering if you could help me figure out how to configure unbound.
I would like to setup whitelisting. There was a post which recommended doing the following:
In several installations I use a combination of local zones, stub
zones and forward zones and have never used a construct such as
"local-zone: "." static".
Hi, P T,
Hey guys, was wondering if you could help me figure out how to configure
unbound.I would like to setup whitelisting. There was a post which recommended
doing the following:----
local-zone: "." static
local-zone: "gooddomain.com <http://gooddomain.com/>" transparent
local-zone: "anothergooddomain.com <http://anothergooddomain.com/>"
transparent----
That works fine. But what I also want to do is the following:
----
forward-zone:
name: "my.local.zone"
forward-addr: 172.16.16.1----
When querying for a record in my.local.zone, I get NXDOMAIN, as if I
failed the whitelist "check". So it seems like the catch-all "." line in
local-zone is being evaluated before forward-zone.
Yes local-zones are evaluated before forward-zones and stub-zones. This
feature is on purpose, to filter downstream queries before it reaches
the state machine in unbound.
What I think you want is to add a local-zone: "my.local.zone"
transparent statement. So have a forward-zone and also a local-zone for
my.local.zone. The local-zone allows it to bypass your whitelisting
check. The forward-zone entry configures where queries are sent when
the query reaches that stage in the state-machine code.
Is there any way around this? If not, is there another way to do
whitelisting?
In new versions there is access-control-tag, access-control-view, where
you can conditionalize the local-zone filter to the IP-address of the
client. Or local-zone-override that also evaluates the IP-address to
change a local-zone, and overrides the previous mechanisms.
The configuration of ratelimit-for-domain could be used to filter
queries (it is evaluated after local-zones, and after forward-zones, so
more state-machine effort is spent, so I wouldn't advise it). But it is
really meant for ratelimiting, of course.
Best regards, Wouter