Differences

This shows you the differences between two versions of the page.

--- networking:dns:unbound:views [2020/12/04 10:43] – peter
+++ networking:dns:unbound:views [2022/10/08 11:19] (current) – peter
@@ Line 3: / Line 3: @@
 Unbound’s views can be used to serve local data depending on the source address a query is received on.
-  * View Name must be unique.
   * Map views to requests using the **access-control-view** option.
   * Views can contain zero or more **local-zone** and **local-data** options.
   * Options from matching views will override global options.
-  * Global options will be used if no matching view is found.
-    * With **view-first yes**, it will try to answer using the global local-zone and local-data elements if there is no view specific match.
+<WRAP info>
+**views** were introduced in Unbound 1.6.0.
+</WRAP>
 ----
@@ Line 24: / Line 25: @@
     name: "anotherview"
     local-zone: "example.com" refuse
+view:
+    name: "evenanotherview"
+    local-zone: example.com inform
+    local-data: 'example.com TXT "this is an example"'
+    local-zone: refused.example.co.uk refuse
 </code>
+<WRAP info>
+**NOTE:**
+  * **name** must be unique.
+  * **local-zone** configures a local zone.
+    * The type determines the answer to give if there is no match from local-data.
+      * **deny** serves local data (if any), else, drops queries.
+      * **refuse** serves local data (if any), else, replies with error.
+      * **static** serves local data, else, nxdomain or nodata answer.
+      * **transparent** gives local data, but resolves normally for other names.
+      * **redirect** serves the zone data for any subdomain in the zone.
+      * **nodefault** can be used to normally resolve AS112 zones.
+      * **typetransparent** resolves normally for other types and other names.
+      * **inform** acts like transparent, but logs client IP address.
+      * **inform_deny** drops queries and logs client IP address.
+      * **inform_redirect** redirects queries and logs client IP address.
+      * **always_transparent, always_refuse, always_nxdomain**, resolve in that way but ignore local data for that name.
+      * **noview** breaks out of that view towards global local-zones.
+    * See https://nlnetlabs.nl/documentation/unbound/unbound.conf/.
+  * **local-data** configures local data.
+    * The query has to match exactly unless you configure the **local-zone** as redirect.  If not matched exactly, the **local-zone type** determines further processing.
+  * **local-data-ptr** configures local data shorthand for a PTR record with the reversed IPv4 or IPv6 address and the host name.
+  * **view-first** specifies whether to use Global options if no matching view is found.
+    * With **view-first yes**, it will try to answer using the global local-zone and local-data elements if there is no view specific match.
+</WRAP>
 ----
@@ Line 31: / Line 69: @@
 ===== Override DNS queries for specific clients =====
-Example:
+<code bash>
-<code>
 server:
      ...
@@ Line 58: / Line 94: @@
 Queries to this instance should return the following for my.aa/A:
-<code>
+<code bash>
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6565
 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
@@ Line 72: / Line 108: @@
 The view named intview defines an alternative response, which is used when a query comes in to 127/8, as defined in the **access-control-view** statement:
-<code>
+<code bash>
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14806
 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
@@ Line 88: / Line 124: @@
 <WRAP info>
-**NOTE:**  It doesn’t appear to be possible to use views other than for local data.
+**NOTE:**  It does not appear to be possible to use views other than for local data.
 </WRAP>
@@ Line 104: / Line 140: @@
 https://medium.com/nlnetlabs/response-policy-zones-in-unbound-5d453de75f26
+https://blog.nlnetlabs.nl/client-based-filtering-in-unbound/