Hi, we run public cache servers for our customers and our internal servers. we are using binds views (internal/external) to hide unroutable resource records from public in some zones.
I can achieve bind views functionality in unbound with two unbound daemons: - firs unbound daemon is listening on all interfaces and has no local-zone/local-data entries. - second unbound is listening on localhost and different port: server: port: 54 interface: 127.0.0.1 local-zone: myzone.lv transparent include: /usr/local/etc/unbound/zone-myzone.lv - redirect internal hosts to localhost (FreeBSD pf): table <int-dns> const { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, ... } rdr pass proto udp from <int-dns> to port 53 -> 127.0.0.1 port 54 rdr pass proto tcp from <int-dns> to port 53 -> 127.0.0.1 port 54 If query comes from our internal servers, it is redirected to second unbound instance where it checks local-data and if no entry is found, it is resolved as usual. If query comes from public hosts, they don't see our rfc1918 records. Is this kind of setup okay? Maybe it can be done with one unbound daemon? -- regards, Artis Caune <----. CCNA | BSDA <----|==================== <----' didii FreeBSD _______________________________________________ Unbound-users mailing list Unbound-users@unbound.net http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users