another way to solve this is with rpz, which is now available for unbound (farsight fastrpz for unbound: free of charge, not open source, available to FSI-pDNS sensor operators or to commercial support customers of opennetlabs.)
with rpz you could set up a policy zone that all of the unbound servers in your recursive cloud subscribed to. in it you would say that client-ip 0.0.0.0/0 and 0::/0 were disallowed (either drop all queries, or always answer nxdomain, or always answer cname, or whatever) and then add specific client-ip address blocks for your subscribers, with passthru actions. it's not exactly what rpz was designed for, but it would work. and it makes me realize that we need a soft passthru: skip the other rules in the current ruleset, and continue down the rpz zone list, rather than continuing with policy-free resolution. after all, it's possible you'd want your customers to be protected by real security- related response policy. https://dnsrpz.info/ has more information about rpz in general, which is not encumbered at the specification level. i regret any offense given by the mention of non-open-source technology here. vixie
