Match based on query destination IP

George Thessalonikefs george at nlnetlabs.nl
Tue Jul 5 16:22:50 UTC 2022


Hi Oskar,

It seems you are asking the same question as the one in the thread 
titled "RPZ based on destination".

I just replied there and you may find the answer helpful.

Best regards,
-- George

On 05/07/2022 17:46, Oskar Almlöv via Unbound-users wrote:
> Hi,
> 
> I would like to somehow tag or assign clients to a view based on the 
> destination address of the client query.
> If for example a client /(10.10.0.1) /queries the server /(10.20.0.1)/ I 
> would like to match on the address /10.20.0.1./
> 
> The background is that I have multiple rpz zones (blocklists) and would 
> like the client to be able to choose which "blocklists" to apply to 
> their queries by configuring their resolver based on a list that I 
> provide. Client addresses are random and not under my control.
> The list might look something like:
> --------------------------------------------
> block ads: 10.20.0.1
> block trackers: 10.20.0.2
> block ads & trackers: 10.20.0.3/
> /--------------------------------------------
> 
> Using BIND I would define a view and match on the query destination IP 
> like this:
> /--------------------------------------------------/
> view block-ads {
>    match-destinations { 10.20.0.1; };
>    zone "adblock.rpz" {
>      [ .. ]
>    };
> };
> /--------------------------------------------------
> 
> /I've read through the documentation and have found the 
> /access-control-{tag,view}/ statements but they only seem to operate on 
> the client source address. Is there an option like this that I've just 
> missed *or is there a better way of achieving something similar to what 
> I'm describing using unbound?***A workaround could be to create a 
> mapping between the destination IP and some random addresses and SNATing 
> incoming queries behind those random IPs in order to match on them. But 
> that sounds very hacky and not something I would like to do.
> ****
> Thanks for reading.
> 
> -- 
> //Oskar
> 


More information about the Unbound-users mailing list