Whitelisting with local-zone + forwarding to local dns server
W.C.A. Wijngaards
wouter at nlnetlabs.nl
Mon May 29 12:01:25 UTC 2017
Hi, P T,
On 26/05/17 18:00, P T via Unbound-users wrote:
> Hey guys, was wondering if you could help me figure out how to configure
> unbound.
>
> I would like to setup whitelisting. There was a post which recommended
> doing the following:
>
> ----
>
> local-zone: "." static
>
> local-zone: "gooddomain.com <http://gooddomain.com/>" transparent
> local-zone: "anothergooddomain.com <http://anothergooddomain.com/>"
> transparent
>
> ----
>
> That works fine. But what I also want to do is the following:
>
> ----
>
> forward-zone:
> name: "my.local.zone"
> forward-addr: 172.16.16.1
>
> ----
>
> When querying for a record in my.local.zone, I get NXDOMAIN, as if I
> failed the whitelist "check". So it seems like the catch-all "." line in
> local-zone is being evaluated before forward-zone.
Yes local-zones are evaluated before forward-zones and stub-zones. This
feature is on purpose, to filter downstream queries before it reaches
the state machine in unbound.
What I think you want is to add a local-zone: "my.local.zone"
transparent statement. So have a forward-zone and also a local-zone for
my.local.zone. The local-zone allows it to bypass your whitelisting
check. The forward-zone entry configures where queries are sent when
the query reaches that stage in the state-machine code.
>
> Is there any way around this? If not, is there another way to do
> whitelisting?
In new versions there is access-control-tag, access-control-view, where
you can conditionalize the local-zone filter to the IP-address of the
client. Or local-zone-override that also evaluates the IP-address to
change a local-zone, and overrides the previous mechanisms.
The configuration of ratelimit-for-domain could be used to filter
queries (it is evaluated after local-zones, and after forward-zones, so
more state-machine effort is spent, so I wouldn't advise it). But it is
really meant for ratelimiting, of course.
Best regards, Wouter
>
> Thanks for any help!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20170529/e73d0902/attachment.bin>
More information about the Unbound-users
mailing list