Restrict forward-zones access

Charles-antoine Guillat-Guignard xarli at
Fri Nov 13 11:37:37 UTC 2015


Yes, I already considered using Netfilter, but data inspection price
seems too high on latency and qps capacity.

Well, I will check which way is less impacting (multiple instances or

Thank you for your time and for the feedback.


Charles-Antoine Guillat-Guignard

Le 12/11/2015 17:52, Daisuke HIGASHI a écrit :
> Hi,
>    AFAIK Unbound has no such complicated access control facilities.
>    If you are run Unbound on Linux, you can block a packet
> which contains specific string by Netfilter. For example
> this iptables rule drops UDP queres for "example.local"
> which is not originated by clients:
>   iptables -A INPUT -p udp --dport 53 \! -s -m string
> --algo bm --from 40 --icase --hex-string "|07|example|05|local|00|" -j
> But this rule can't control TCP or IP-fragmented UDP queries.
> (It is difficult to classify these queries by this method.)
> Regards,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Unbound-users mailing list