simplest way to forward to diff resolver based on src

Eric Luehrsen ericluehrsen at
Mon Apr 10 04:36:02 UTC 2017

On 04/10/2017 12:03 AM, Eric Luehrsen wrote:
> On 04/09/2017 10:31 PM, Spike via Unbound-users wrote:
>> Dear all,
>> I have a default unbound instance for the lan and I'd like to add two
>> more specialized ones (python scripting is involved) and direct queries
>> to those depending on client.
>> So all machines get default dns, but when queries come in on
>> that machine unbound would look at the src and:
>> - if in range 1.1.1.x just resolve it
>> - if in range 1.1.2.x send it to
>> - if in range 1.1.3.x send it to
>> I can't see a simple way of doing that, the forward zones seems to be
>> based on destination, not source, and a firewall would involve natting
>> which isn't great.
>> Also caching seems to be an issue, the fw zones are used if a response
>> cannot be found from cache afaik. My scenario requires that requests
>> from ranges 2 and 3 are never cached and requests always forwarded.
>> any common/clean way of doing this?
>> thanks,
>> Spike
> Hi Spike
> If you have one subnet, then it doesn't look supported (even
> looking at dnsmasq as an intermediary). Usually the kind of access
> control I'd imply from your question is done with subnets. Isolation is
> often done for other reasons. If you have three subnets (and VLAN)
>,, and, then you can have three unique
> Unbound instances. Each only listens on one interface respective of the
> subnet. If they need to share local DNS, then you can add the necessary
> forward clauses.

There may be another way. Its a bit tricky and I don't know the 
pitfalls. Unbound views and tags are new. You would 4 need Unbound 
instances. The first instance would forward _ALL_ DNS zones to a dummy 
forward host name. You can define that host name local data under tags 
or views. The tags or views associate with query address. 3 other 
Unbound instances would do the real work, only listening on unusual 
local host addresses (,,

# example leading dummy instance
   define-tags: "group1 group2 group3"
   access-control-view: group1
   access-control-view: group2
   access-control-view: group3

   name: group1
   local-zone: transparent
   local-data: " 3600 IN A"

   name: group2
   local-zone: transparent
   local-data: " 3600 IN A"

   name: group3
   local-zone: transparent
   local-data: " 3600 IN A"

# This _ALL_ zone forward host will resolve respective of view
   name: "."
   forward-host: ""

More information about the Unbound-users mailing list