Hello
We are trying to allow only a specific set of subnets to get reverse answers. Basically, our typical internal network topology is 10.0.0.0/8, with servers in 10.1.0.0/16 and users in other 10.X/16. We want to : - allow clients in 10.1.0.0/16 to make PTR requests to Unbound - deny clients from any other network from making PTR requests to Unbound As we are using stub-zone and forward-zone (as shown below), we cannot use Tags or Views, and it is explicitly stated in the documentation that it Tags/Views work only on local-zones… We have not succeeded either, by fiddling with the « in-addr » local-zone in the server block. Would anyone have some insight as to : - if it is possible at all, with unbound or nsd ? - if so, how do we proceed ? Thanks in advance Nicolas Our unbond+nsd topology is the following with its configuration below : - 10.1.1.1 unbound server recursive resolver for everyone (servers and users) - 10.1.1.2&3 nds server serving example.com. and 1.1.10.in-addr.arpa ~ > cat /etc/unbound/unbound.conf server: verbosity: 0 interface: 10.1.1.1 port: 53 do-ip4: yes do-ip6: no do-udp: yes do-tcp: yes access-control: 0.0.0.0/0 allow local-zone: "10.in-addr.arpa." nodefault domain-insecure: "*" use-syslog: yes log-replies: yes log-servfail: yes extended-statistics: yes statistics-interval: 300 edns-buffer-size: 1472 cache-max-ttl: 600 cache-min-ttl: 300 delay-close: 10000 neg-cache-size: 4M num-threads: 2 outgoing-range: 950 so-reuseport: yes serve-expired: no hide-identity: yes hide-version: yes remote-control: control-enable: yes control-use-cert: yes server-key-file: "/etc/unbound/unbound_server.key" server-cert-file: "/etc/unbound/unbound_server.pem" control-key-file: "/etc/unbound/unbound_control.key" control-cert-file: "/etc/unbound/unbound_control.pem" control-interface: 127.0.0.1 control-port: 8953 stub-zone: name: "example.com." stub-addr: 10.1.1.2@53053 stub-addr: 10.1.1.3@53053 stub-zone: name: "1.1.10.in-addr.arpa." stub-addr: 10.1.1.2@53053 stub-addr: 10.1.1.3@53053 forward-zone: name: "." stub-addr: 10.1.1.2@53053 stub-addr: 10.1.1.3@53053