Restrict forward-zones access
Charles-antoine Guillat-Guignard
xarli at xarli.net
Fri Nov 13 11:37:37 UTC 2015
Hello,
Yes, I already considered using Netfilter, but data inspection price
seems too high on latency and qps capacity.
Well, I will check which way is less impacting (multiple instances or
filtering).
Thank you for your time and for the feedback.
Regards
Charles-Antoine Guillat-Guignard
Le 12/11/2015 17:52, Daisuke HIGASHI a écrit :
> Hi,
>
> AFAIK Unbound has no such complicated access control facilities.
>
> If you are run Unbound on Linux, you can block a packet
> which contains specific string by Netfilter. For example
> this iptables rule drops UDP queres for "example.local"
> which is not originated by 10.0.0.0/8 clients:
>
> iptables -A INPUT -p udp --dport 53 \! -s 10.0.0.0/8 -m string
> --algo bm --from 40 --icase --hex-string "|07|example|05|local|00|" -j
> DROP
>
> But this rule can't control TCP or IP-fragmented UDP queries.
> (It is difficult to classify these queries by this method.)
>
> Regards,
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20151113/cda3020b/attachment.bin>
More information about the Unbound-users
mailing list