simplest way to forward to diff resolver based on src
Eric Luehrsen
ericluehrsen at hotmail.com
Mon Apr 10 04:03:05 UTC 2017
On 04/09/2017 10:31 PM, Spike via Unbound-users wrote:
> Dear all,
> I have a default unbound instance for the lan and I'd like to add two
> more specialized ones (python scripting is involved) and direct queries
> to those depending on client.
> So all machines get default dns 1.1.1.1, but when queries come in on
> that machine unbound would look at the src and:
> - if in range 1.1.1.x just resolve it
> - if in range 1.1.2.x send it to 1.1.2.1
> - if in range 1.1.3.x send it to 1.1.2.3
> I can't see a simple way of doing that, the forward zones seems to be
> based on destination, not source, and a firewall would involve natting
> which isn't great.
> Also caching seems to be an issue, the fw zones are used if a response
> cannot be found from cache afaik. My scenario requires that requests
> from ranges 2 and 3 are never cached and requests always forwarded.
> any common/clean way of doing this?
> thanks,
> Spike
Hi Spike
If you have one subnet 1.1.0.0/16, then it doesn't look supported (even
looking at dnsmasq as an intermediary). Usually the kind of access
control I'd imply from your question is done with subnets. Isolation is
often done for other reasons. If you have three subnets (and VLAN)
1.1.1.0/24, 1.1.2.0/24, and 1.1.3.0/24, then you can have three unique
Unbound instances. Each only listens on one interface respective of the
subnet. If they need to share local DNS, then you can add the necessary
forward clauses.
#example
server:
# serve only subnet3
interface: 1.1.3.1 at 53
# accept forward from Unbound-subnet2 and Unbound-subnet1
interface: 127.0.0.1 at 5303
# Get local DNS about subnet2
forward:
name: "subnet2.example.com."
forward-addr: 127.0.0.1 at 5302
forward:
name: "2.1.1.in-addr.arpa."
forward-addr: 127.0.0.1 at 5302
-Eric
More information about the Unbound-users
mailing list