Private zone and access control

W.C.A. Wijngaards wouter at
Tue Jun 5 07:38:27 UTC 2018


On 03/06/18 19:17, Ict Security via Unbound-users wrote:
> Hi all,
> i have defined access control for a specific class of IPs and
> everything is working fine, both for recursive and private class
> requests.
> Now, i would like to define a static zone and grant everyone (public)
> to query *only* this zone, without allowing to recursion.

Yes there are two access-control types for that from the access-control
statement.  The deny_non_local allows requests to local-zones (and
auth-zones with for-downstream: yes) and drops recursion requests.  The
refuse_non_local sends an rcode REFUSED message instead of dropping
disallowed requests.

Just set everyone with an access-control statement.  Access-control
statements are applied with the most-specific; so that if you give a /8
deny_non_local and another /24 allow; then the /24 is allowed everything
and everyone else only the local-zone and for-downstream auth-zone
information.  Or give a /0.  You would need a for IP4 and a
::0/0 for IP6 to cover everyone.  You can also carve out more specific
subnets and disallow with access-control type 'deny' that drops messages
from them.

Note that this would allow access to all the local-zones and auth-zones
for-downstream, and not just that specific zone.  Something that you can
fix, in this case, if you want to, by putting the local-zone in a view
for everyone and putting local-zones for the specific group in another
view.  And then use the access-control-view statement.  Or tag the
local-zone and use the access-control-tag statement.

Best regards, Wouter

> Is it possible?
> Thank you
> F

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Unbound-users mailing list