RPZ based on destination
george at nlnetlabs.nl
Tue Jul 5 16:21:01 UTC 2022
There is ongoing work that we call acl per interface.
This applies all the same logic of the access-control directives but for
the listening interface(s) instead.
It is being worked on a separate branch:
This will be part of the next Unbound *feature* release (circa September).
It should be ready, pending review near the release date.
If you want to already test I can provide some quick documentation:
- each access-control-* option you could previously use per client-ip
you can now do the same per listening interface with interface-*.
Note: The "access-control:" directive is named "interface-action:"
- if you mix and match access-control* options and the new interface-*
options, the access-control* options always overrule the interface-*
options as they are considered more specific (targeting clients
instead of the whole interface).
- The interfaces used in the interface-* options must have been already
defined with the interface: directive.
The unbound.conf man page and the example.conf file should provide most
of the information you would need.
Let me know if it works for you.
On 04/07/2022 10:53, Tomas S. via Unbound-users wrote:
> we are implementing recursive DNS service with a multiple RPZ zones,
> where user can decide which policies to use by selecting one of multiple
> DNS servers IPs
> (think cloudflare 126.96.36.199 - default, 188.8.131.52 - with malware blocking,
> 184.108.40.206 - malware+adult blocking).
> To implement this (in one server) one could run multiple unbound instances,
> but rpz: unbound configuration already supports tags, however, tags can
> only be set
> by client source IP.
> I'm thinking about adding one more access-control directive: like
> but for destination IP (lets say access-control-dest-tag).
> Do you think it would be a reasonable approach?
> Best Regards,
More information about the Unbound-users