[Unbound-users] unbound + nsd: acl to only allow non-recursive requests?
Jiri Bohac
jiri at boha.cz
Mon Feb 10 21:17:55 UTC 2014
Hi,
I'm trying to replace my bind server with unbound + nsd.
My DNS server works both as authoritative for a few zones and
also as a recursive resolver for a few subnets.
I configured the domains I want to serve authoritatively as stub
zones in unbound, so that the requests are forwarded to a locally
running nsd on a different port.
I need the server to allow non-recursive queries from anywhere.
I want to allow recursive queries only from specified subnets to
prevent misuse of my server for a DNS amplification attack.
The "access-control:" directive only has these actions:
refuse
deny
allow_snoop -- allows recursive + nonrecursive querues
allow -- allows recursive queries
I am missing an action to only allow nonrecursive queries.
Then, I could do:
access-control: 1.2.3.0/24 allow_snoop
access-control: 0.0.0.0/0 allow_nonrec
to only allow recursive queries from 1.2.3.x and nonrecursive
from anywhere.
What other options do I have?
I'm limited to a single IP address, so I can't run unbound on one
and nsd on another.
The only solution I can think of is using iptables to redirect
the DNS traffic to unbound's port for queries from 1.2.3.0/24 and
to nsd's port for other queries. Makes me sort of uneasy ;)
Would it be a totally stupid thing to implement the allow_nonrec
action for access-control? Any chances of such a patch being
accepted for unbound?
--
Jiri Bohac
e-mail/jabber: jiri at boha.cz
More information about the Unbound-users
mailing list