Hello, Yes, I already considered using Netfilter, but data inspection price seems too high on latency and qps capacity.
Well, I will check which way is less impacting (multiple instances or filtering). Thank you for your time and for the feedback. Regards Charles-Antoine Guillat-Guignard Le 12/11/2015 17:52, Daisuke HIGASHI a écrit : > Hi, > > AFAIK Unbound has no such complicated access control facilities. > > If you are run Unbound on Linux, you can block a packet > which contains specific string by Netfilter. For example > this iptables rule drops UDP queres for "example.local" > which is not originated by 10.0.0.0/8 clients: > > iptables -A INPUT -p udp --dport 53 \! -s 10.0.0.0/8 -m string > --algo bm --from 40 --icase --hex-string "|07|example|05|local|00|" -j > DROP > > But this rule can't control TCP or IP-fragmented UDP queries. > (It is difficult to classify these queries by this method.) > > Regards, >
signature.asc
Description: OpenPGP digital signature
