On 04/09/2017 10:31 PM, Spike via Unbound-users wrote: > Dear all, > I have a default unbound instance for the lan and I'd like to add two > more specialized ones (python scripting is involved) and direct queries > to those depending on client. > So all machines get default dns 1.1.1.1, but when queries come in on > that machine unbound would look at the src and: > - if in range 1.1.1.x just resolve it > - if in range 1.1.2.x send it to 1.1.2.1 > - if in range 1.1.3.x send it to 1.1.2.3 > I can't see a simple way of doing that, the forward zones seems to be > based on destination, not source, and a firewall would involve natting > which isn't great. > Also caching seems to be an issue, the fw zones are used if a response > cannot be found from cache afaik. My scenario requires that requests > from ranges 2 and 3 are never cached and requests always forwarded. > any common/clean way of doing this? > thanks, > Spike
Hi Spike If you have one subnet 1.1.0.0/16, then it doesn't look supported (even looking at dnsmasq as an intermediary). Usually the kind of access control I'd imply from your question is done with subnets. Isolation is often done for other reasons. If you have three subnets (and VLAN) 1.1.1.0/24, 1.1.2.0/24, and 1.1.3.0/24, then you can have three unique Unbound instances. Each only listens on one interface respective of the subnet. If they need to share local DNS, then you can add the necessary forward clauses. #example server: # serve only subnet3 interface: 1.1.3.1@53 # accept forward from Unbound-subnet2 and Unbound-subnet1 interface: 127.0.0.1@5303 # Get local DNS about subnet2 forward: name: "subnet2.example.com." forward-addr: 127.0.0.1@5302 forward: name: "2.1.1.in-addr.arpa." forward-addr: 127.0.0.1@5302 -Eric
