Hi,
we run public cache servers for our customers and our internal servers.
we are using binds views (internal/external) to hide unroutable
resource records from public in some zones.
I can achieve bind views functionality in unbound with two unbound daemons:
- firs unbound daemon is listening on all interfaces and has no
local-zone/local-data entries.
- second unbound is listening on localhost and different port:
server:
port: 54
interface: 127.0.0.1
local-zone: myzone.lv transparent
include: /usr/local/etc/unbound/zone-myzone.lv
- redirect internal hosts to localhost (FreeBSD pf):
table <int-dns> const { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, ... }
rdr pass proto udp from <int-dns> to port 53 -> 127.0.0.1 port 54
rdr pass proto tcp from <int-dns> to port 53 -> 127.0.0.1 port 54
If query comes from our internal servers, it is redirected to second
unbound instance where it checks local-data and if no entry is found,
it is resolved as usual.
If query comes from public hosts, they don't see our rfc1918 records.
Is this kind of setup okay? Maybe it can be done with one unbound daemon?
--
regards,
Artis Caune
<----. CCNA | BSDA
<----|====================
<----' didii FreeBSD
_______________________________________________
Unbound-users mailing list
Unbound-users@unbound.net
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
