Restrict forward-zones access
xarli at xarli.net
Fri Nov 13 11:37:37 UTC 2015
Yes, I already considered using Netfilter, but data inspection price
seems too high on latency and qps capacity.
Well, I will check which way is less impacting (multiple instances or
Thank you for your time and for the feedback.
Le 12/11/2015 17:52, Daisuke HIGASHI a écrit :
> AFAIK Unbound has no such complicated access control facilities.
> If you are run Unbound on Linux, you can block a packet
> which contains specific string by Netfilter. For example
> this iptables rule drops UDP queres for "example.local"
> which is not originated by 10.0.0.0/8 clients:
> iptables -A INPUT -p udp --dport 53 \! -s 10.0.0.0/8 -m string
> --algo bm --from 40 --icase --hex-string "|07|example|05|local|00|" -j
> But this rule can't control TCP or IP-fragmented UDP queries.
> (It is difficult to classify these queries by this method.)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 213 bytes
Desc: OpenPGP digital signature
More information about the Unbound-users