Match based on query destination IP

Oskar Almlöv oskaralmlov at mullvad.net
Tue Jul 5 15:46:07 UTC 2022 

Hi,

I would like to somehow tag or assign clients to a view based on the 
destination address of the client query.
If for example a client /(10.10.0.1) /queries the server /(10.20.0.1)/ I 
would like to match on the address /10.20.0.1./

The background is that I have multiple rpz zones (blocklists) and would 
like the client to be able to choose which "blocklists" to apply to 
their queries by configuring their resolver based on a list that I 
provide. Client addresses are random and not under my control.
The list might look something like:
--------------------------------------------
block ads: 10.20.0.1
block trackers: 10.20.0.2
block ads & trackers: 10.20.0.3/
/--------------------------------------------

Using BIND I would define a view and match on the query destination IP 
like this:
/--------------------------------------------------/
view block-ads {
   match-destinations { 10.20.0.1; };
   zone "adblock.rpz" {
     [ .. ]
   };
};
/--------------------------------------------------

/I've read through the documentation and have found the 
/access-control-{tag,view}/ statements but they only seem to operate on 
the client source address. Is there an option like this that I've just 
missed *or is there a better way of achieving something similar to what 
I'm describing using unbound?***A workaround could be to create a 
mapping between the destination IP and some random addresses and SNATing 
incoming queries behind those random IPs in order to match on them. But 
that sounds very hacky and not something I would like to do.
****
Thanks for reading.

-- 
//Oskar

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20220705/334b4fdd/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE80ABA566810FD7C.asc
Type: application/pgp-keys
Size: 3155 bytes
Desc: OpenPGP public key
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20220705/334b4fdd/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20220705/334b4fdd/attachment-0001.bin>

More information about the Unbound-users mailing list