On 04/10/2017 12:03 AM, Eric Luehrsen wrote: > On 04/09/2017 10:31 PM, Spike via Unbound-users wrote: >> Dear all, >> I have a default unbound instance for the lan and I'd like to add two >> more specialized ones (python scripting is involved) and direct queries >> to those depending on client. >> So all machines get default dns 1.1.1.1, but when queries come in on >> that machine unbound would look at the src and: >> - if in range 1.1.1.x just resolve it >> - if in range 1.1.2.x send it to 1.1.2.1 >> - if in range 1.1.3.x send it to 1.1.2.3 >> I can't see a simple way of doing that, the forward zones seems to be >> based on destination, not source, and a firewall would involve natting >> which isn't great. >> Also caching seems to be an issue, the fw zones are used if a response >> cannot be found from cache afaik. My scenario requires that requests >> from ranges 2 and 3 are never cached and requests always forwarded. >> any common/clean way of doing this? >> thanks, >> Spike > > Hi Spike > If you have one subnet 1.1.0.0/16, then it doesn't look supported (even > looking at dnsmasq as an intermediary). Usually the kind of access > control I'd imply from your question is done with subnets. Isolation is > often done for other reasons. If you have three subnets (and VLAN) > 1.1.1.0/24, 1.1.2.0/24, and 1.1.3.0/24, then you can have three unique > Unbound instances. Each only listens on one interface respective of the > subnet. If they need to share local DNS, then you can add the necessary > forward clauses.
There may be another way. Its a bit tricky and I don't know the pitfalls. Unbound views and tags are new. You would 4 need Unbound instances. The first instance would forward _ALL_ DNS zones to a dummy forward host name. You can define that host name local data under tags or views. The tags or views associate with query address. 3 other Unbound instances would do the real work, only listening on unusual local host addresses (127.0.1.1, 127.0.1.2, 127.0.1.3). # example leading dummy instance server: define-tags: "group1 group2 group3" access-control-view: 1.1.1.0/24 group1 access-control-view: 1.1.2.0/24 group2 access-control-view: 1.1.3.0/24 group3 view: name: group1 local-zone: example.com transparent local-data: "ghost-ns.example.com. 3600 IN A 127.0.1.1" view: name: group2 local-zone: example.com transparent local-data: "ghost-ns.example.com. 3600 IN A 127.0.1.2" view: name: group3 local-zone: example.com transparent local-data: "ghost-ns.example.com. 3600 IN A 127.0.1.3" # This _ALL_ zone forward host will resolve respective of view forward: name: "." forward-host: "ghost-ns.example.com"
