Allowing PTR queries only for specific subnets ?

Nicolas Pillot nicolas.pillot at gmail.com
Fri Jul 7 16:11:06 UTC 2023 

Hello



We are trying to allow only a specific set of subnets to get reverse
answers.



Basically, our typical internal network topology is 10.0.0.0/8, with
servers in 10.1.0.0/16 and users in other 10.X/16.



We want to :

- allow clients in 10.1.0.0/16 to make PTR requests to Unbound

- deny clients from any other network from making PTR requests to Unbound



As we are using stub-zone and forward-zone (as shown below), we cannot use
Tags or Views,

and it is explicitly stated in the documentation that it Tags/Views work
only on local-zones…



We have not succeeded either, by fiddling with the « in-addr » local-zone
in the server block.



Would anyone have some insight as to :

- if it is possible at all, with unbound or nsd ?

- if so, how do we proceed ?


Thanks in advance

Nicolas





Our unbond+nsd topology is the following with its configuration below :

- 10.1.1.1 unbound server recursive resolver for everyone (servers and
users)

- 10.1.1.2&3 nds server serving example.com. and 1.1.10.in-addr.arpa



~ > cat /etc/unbound/unbound.conf

server:

        verbosity: 0

        interface: 10.1.1.1

        port: 53

        do-ip4: yes

        do-ip6: no

        do-udp: yes

        do-tcp: yes

        access-control: 0.0.0.0/0 allow

        local-zone: "10.in-addr.arpa." nodefault

        domain-insecure: "*"

        use-syslog: yes

        log-replies: yes

        log-servfail: yes

        extended-statistics: yes

        statistics-interval: 300

        edns-buffer-size: 1472

        cache-max-ttl: 600

        cache-min-ttl: 300

        delay-close: 10000

        neg-cache-size: 4M

        num-threads: 2

        outgoing-range: 950

        so-reuseport: yes

        serve-expired: no

        hide-identity: yes

        hide-version: yes



remote-control:

        control-enable: yes

        control-use-cert: yes

        server-key-file: "/etc/unbound/unbound_server.key"

        server-cert-file: "/etc/unbound/unbound_server.pem"

        control-key-file: "/etc/unbound/unbound_control.key"

        control-cert-file: "/etc/unbound/unbound_control.pem"

        control-interface: 127.0.0.1

        control-port: 8953



stub-zone:

        name: "example.com."

        stub-addr: 10.1.1.2 at 53053

        stub-addr: 10.1.1.3 at 53053



stub-zone:

        name: "1.1.10.in-addr.arpa."

        stub-addr: 10.1.1.2 at 53053

        stub-addr: 10.1.1.3 at 53053



forward-zone:

        name: "."

        stub-addr: 10.1.1.2 at 53053

        stub-addr: 10.1.1.3 at 53053
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20230707/c0a12047/attachment.htm>

More information about the Unbound-users mailing list