RPZ based on destination

George Thessalonikefs george at nlnetlabs.nl
Tue Jul 5 16:21:01 UTC 2022 

Hi Tomas,

There is ongoing work that we call acl per interface.
This applies all the same logic of the access-control directives but for 
the listening interface(s) instead.

It is being worked on a separate branch:
	https://github.com/NLnetLabs/unbound/tree/acl_interface

This will be part of the next Unbound *feature* release (circa September).

It should be ready, pending review near the release date.

If you want to already test I can provide some quick documentation:

- each access-control-* option you could previously use per client-ip
   you can now do the same per listening interface with interface-*.
   Note: The "access-control:" directive is named "interface-action:"
- if you mix and match access-control* options and the new interface-*
   options, the access-control* options always overrule the interface-*
   options as they are considered more specific (targeting clients
   instead of the whole interface).
- The interfaces used in the interface-* options must have been already
   defined with the interface: directive.

The unbound.conf man page and the example.conf file should provide most 
of the information you would need.

Let me know if it works for you.

Best regards,
-- George


On 04/07/2022 10:53, Tomas S. via Unbound-users wrote:
> Hello,
> 
> we are implementing recursive DNS service with a multiple RPZ zones,
> 
> where user can decide which policies to use by selecting one of multiple 
> DNS servers IPs
> 
> (think cloudflare 1.1.1.1 - default, 1.1.1.2 - with malware blocking, 
> 1.1.1.3 - malware+adult blocking).
> 
> 
> To implement this (in one server) one could run multiple unbound instances,
> 
> but rpz: unbound configuration already supports tags, however, tags can 
> only be set
> 
> by client source IP.
> 
> 
> I'm thinking about adding one more access-control directive: like 
> access-control-tag,
> 
> but for destination IP (lets say access-control-dest-tag).
> 
> Do you think it would be a reasonable approach?
> 
> 
> Best Regards,
> 
> Tomas
>

More information about the Unbound-users mailing list