<div dir="auto"><div lang="FR" style="word-wrap:break-word"><div class="m_-8886103326418980096WordSection1"><p class="MsoNormal">Hello</p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">We are trying to allow only a specific set of subnets to get reverse answers.</p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Basically, our typical internal network topology is <a href="http://10.0.0.0/8" target="_blank" rel="noreferrer">10.0.0.0/8</a>, with servers in <a href="http://10.1.0.0/16" target="_blank" rel="noreferrer">10.1.0.0/16</a> and users in other 10.X/16.</p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">We want to :</p><p class="MsoNormal">- allow clients in <a href="http://10.1.0.0/16" target="_blank" rel="noreferrer">10.1.0.0/16</a> to make PTR requests to Unbound</p><p class="MsoNormal">- deny clients from any other network from making PTR requests to Unbound</p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">As we are using stub-zone and forward-zone (as shown below), we cannot use Tags or Views,</p><p class="MsoNormal">and it is explicitly stated in the documentation that it Tags/Views work only on local-zones…</p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">We have not succeeded either, by fiddling with the « in-addr » local-zone in the server block.</p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Would anyone have some insight as to :</p><p class="MsoNormal">- if it is possible at all, with unbound or nsd ? </p><p class="MsoNormal">- if so, how do we proceed ? </p><p class="MsoNormal"><u></u><br></p><p class="MsoNormal">Thanks in advance</p><p class="MsoNormal">Nicolas</p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Our unbond+nsd topology is the following with its configuration below :</p><p class="MsoNormal">- 10.1.1.1 unbound server recursive resolver for everyone (servers and users)</p><p class="MsoNormal">- 10.1.1.2&3 nds server serving <a href="http://example.com" target="_blank" rel="noreferrer">example.com</a>. and 1.1.10.in-addr.arpa</p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">~ > cat /etc/unbound/unbound.conf</p><p class="MsoNormal">server:</p><p class="MsoNormal"><span>        </span>verbosity: 0</p><p class="MsoNormal"><span>        </span>interface: 10.1.1.1</p><p class="MsoNormal"><span>        </span>port: 53</p><p class="MsoNormal"><span>        </span>do-ip4: yes</p><p class="MsoNormal"><span>        </span>do-ip6: no</p><p class="MsoNormal"><span>        </span>do-udp: yes</p><p class="MsoNormal"><span>        </span>do-tcp: yes</p><p class="MsoNormal"><span>        </span>access-control: <a href="http://0.0.0.0/0" target="_blank" rel="noreferrer">0.0.0.0/0</a> allow</p><p class="MsoNormal"><span>        </span>local-zone: "10.in-addr.arpa." nodefault</p><p class="MsoNormal"><span>        </span>domain-insecure: "*"</p><p class="MsoNormal"><span>        </span>use-syslog: yes</p><p class="MsoNormal"><span>        </span>log-replies: yes</p><p class="MsoNormal"><span>        </span>log-servfail: yes</p><p class="MsoNormal"><span>        </span>extended-statistics: yes</p><p class="MsoNormal"><span>        </span>statistics-interval: 300</p><p class="MsoNormal"><span>        </span>edns-buffer-size: 1472</p><p class="MsoNormal"><span>        </span>cache-max-ttl: 600</p><p class="MsoNormal"><span>        </span>cache-min-ttl: 300</p><p class="MsoNormal"><span>        </span>delay-close: 10000</p><p class="MsoNormal"><span>        </span>neg-cache-size: 4M</p><p class="MsoNormal"><span>        </span>num-threads: 2</p><p class="MsoNormal"><span>        </span>outgoing-range: 950</p><p class="MsoNormal"><span>        </span>so-reuseport: yes</p><p class="MsoNormal"><span>     </span><span>   </span>serve-expired: no</p><p class="MsoNormal"><span>        </span>hide-identity: yes</p><p class="MsoNormal"><span>        </span>hide-version: yes</p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">remote-control:</p><p class="MsoNormal"><span>        </span>control-enable: yes</p><p class="MsoNormal"><span>        </span>control-use-cert: yes</p><p class="MsoNormal"><span>        </span>server-key-file: "/etc/unbound/unbound_server.key"</p><p class="MsoNormal"><span>        </span>server-cert-file: "/etc/unbound/unbound_server.pem"</p><p class="MsoNormal"><span>        </span>control-key-file: "/etc/unbound/unbound_control.key"</p><p class="MsoNormal"><span>        </span>control-cert-file: "/etc/unbound/unbound_control.pem"</p><p class="MsoNormal"><span>        </span>control-interface: 127.0.0.1</p><p class="MsoNormal"><span>        </span>control-port: 8953</p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">stub-zone:</p><p class="MsoNormal"><span>        </span>name: "<a href="http://example.com" target="_blank" rel="noreferrer">example.com</a>."</p><p class="MsoNormal"><span>        </span>stub-addr: 10.1.1.2@53053</p><p class="MsoNormal"><span>        </span>stub-addr: 10.1.1.3@53053</p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">stub-zone:</p><p class="MsoNormal"><span>        </span>name: "1.1.10.in-addr.arpa."</p><p class="MsoNormal"><span>        </span>stub-addr: 10.1.1.2@53053</p><p class="MsoNormal"><span>        </span>stub-addr: 10.1.1.3@53053</p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">forward-zone:</p><p class="MsoNormal"><span>        </span>name: "."</p><p class="MsoNormal"><span>        </span>stub-addr: 10.1.1.2@53053</p><p class="MsoNormal"><span>        </span>stub-addr: 10.1.1.3@53053</p></div></div></div>