Hi, P T, On 26/05/17 18:00, P T via Unbound-users wrote: > Hey guys, was wondering if you could help me figure out how to configure > unbound. > > I would like to setup whitelisting. There was a post which recommended > doing the following: > > ---- > > local-zone: "." static > > local-zone: "gooddomain.com <http://gooddomain.com/>" transparent > local-zone: "anothergooddomain.com <http://anothergooddomain.com/>" > transparent > > ---- > > That works fine. But what I also want to do is the following: > > ---- > > forward-zone: > name: "my.local.zone" > forward-addr: 172.16.16.1 > > ---- > > When querying for a record in my.local.zone, I get NXDOMAIN, as if I > failed the whitelist "check". So it seems like the catch-all "." line in > local-zone is being evaluated before forward-zone.
Yes local-zones are evaluated before forward-zones and stub-zones. This feature is on purpose, to filter downstream queries before it reaches the state machine in unbound. What I think you want is to add a local-zone: "my.local.zone" transparent statement. So have a forward-zone and also a local-zone for my.local.zone. The local-zone allows it to bypass your whitelisting check. The forward-zone entry configures where queries are sent when the query reaches that stage in the state-machine code. > > Is there any way around this? If not, is there another way to do > whitelisting? In new versions there is access-control-tag, access-control-view, where you can conditionalize the local-zone filter to the IP-address of the client. Or local-zone-override that also evaluates the IP-address to change a local-zone, and overrides the previous mechanisms. The configuration of ratelimit-for-domain could be used to filter queries (it is evaluated after local-zones, and after forward-zones, so more state-machine effort is spent, so I wouldn't advise it). But it is really meant for ratelimiting, of course. Best regards, Wouter > > Thanks for any help!
signature.asc
Description: OpenPGP digital signature
