RPZ based on destination

Tomas S. tomas.simonaitis at gmail.com
Mon Jul 4 08:53:07 UTC 2022


Hello,

we are implementing recursive DNS service with a multiple RPZ zones,

where user can decide which policies to use by selecting one of multiple 
DNS servers IPs

(think cloudflare 1.1.1.1 - default, 1.1.1.2 - with malware blocking, 
1.1.1.3 - malware+adult blocking).


To implement this (in one server) one could run multiple unbound instances,

but rpz: unbound configuration already supports tags, however, tags can 
only be set

by client source IP.


I'm thinking about adding one more access-control directive: like 
access-control-tag,

but for destination IP (lets say access-control-dest-tag).

Do you think it would be a reasonable approach?


Best Regards,

Tomas



More information about the Unbound-users mailing list