Restrict forward-zones access

Daisuke HIGASHI daisuke.higashi at
Thu Nov 12 16:52:06 UTC 2015


   AFAIK Unbound has no such complicated access control facilities.

   If you are run Unbound on Linux, you can block a packet
which contains specific string by Netfilter. For example
this iptables rule drops UDP queres for "example.local"
which is not originated by clients:

  iptables -A INPUT -p udp --dport 53 \! -s -m string
--algo bm --from 40 --icase --hex-string "|07|example|05|local|00|" -j

But this rule can't control TCP or IP-fragmented UDP queries.
(It is difficult to classify these queries by this method.)

 Daisuke HIGASHI

2015-11-12 23:39 GMT+09:00 Charles-antoine Guillat-Guignard via
Unbound-users <unbound-users at>:
> Hello,
> I am looking for a way to restrict the clients to which Unbound should
> answer on a specific domain. For instance, answer to ranges defined by
> the RFC1918 in general, but only allow access to example.local for the
> clients in the range.

More information about the Unbound-users mailing list