====== Networking - DNS - Unbound - Tags ======

Tags make it possible to divide client source addresses into categories (tags), and use **local-zone** and **local-data** information for these specific tags.

<WRAP info>
**tags** was introduced in Unbound 1.5.10.
</WRAP>

<WRAP important>
**IMPORTANT:**  The tags on the netblocks and local-zones are stored in bitmaps, it is therefore advised to keep the number of tags low.

  * If a lot of clients have their own local-zones, without sharing these to other netblocks, it can results in lots of tags.
  * In this situation it is more convenient to give the client's netblock its own tree containing local-zones.
  * Another benefit of having a separate local zone tree is that it makes it possible to apply a local-zone action to a part of the domain space, without having other local-zone elements of subdomains overriding this.
  * Configuring a client specific local-zone tree can be done using [[Networking:DNS:Unbound:Views|Views]].

</WRAP>

----

===== Define Tags =====

<code>
define-tags: "malware gambling"
</code>

<WRAP info>
**NOTE:**  This defines two tags, one for domains containing malware, and one for domains of gambling sites.
</WRAP>


----

===== Specify what tag to use for specific client addresses =====

<code>
access-control-tag: 10.0.1.0/24 "malware"
access-control-tag: 10.0.2.0/24 "malware"
access-control-tag: 10.0.3.0/24 "gambling"
access-control-tag: 10.0.4.0/24 "malware gambling"
</code>

<WRAP info>
**NOTE:**  It is possible to add multiple tags to an access-control element.

  * Other client addresses not within an access-control-tag will still be allowed by default.

</WRAP>

----

===== Add tags to local-zones =====

<code>
local-zone: malwarehere.example refuse
local-zone: somegamblingsite.example static
local-zone: matchestwotags.example transparent
local-zone: notags.example inform

local-zone-tag: malwarehere.example malware
local-zone-tag: somegamblingsite.example malware
local-zone-tag: matchestwotags.example "malware gambling"
</code>

<WRAP info>
**NOTE:**  The local-zone **type** can be:

  * **deny** serves local data (if any), else, drops queries.
  * **refuse** serves local data (if any), else, replies with error.
  * **static** serves local data, else, nxdomain or nodata answer.
  * **transparent** gives local data, but resolves normally for other names.
  * **redirect** serves the zone data for any subdomain in the zone.
  * **nodefault** can be used to normally resolve AS112 zones.
  * **typetransparent** resolves normally for other types and other names.
  * **inform** acts like transparent, but logs client IP address.
  * **inform_deny** drops queries and logs client IP address.
  * **inform_redirect** redirects queries and logs client IP address
  * **always_transparent** resolve in that way but ignore local data for that name.
  * **always_refuse** resolve in that way but ignore local data for that name.
  * **always_nxdomain** resolve in that way but ignore local data for that name.
  * **noview** breaks out of that view towards global local-zones.

</WRAP>

<WRAP info>
**NOTE:**  A **local-zone-tag** can have multiple tags.

  * The tagged **local-zones** will be used if one or more tags match the client.
    * E.g. the **matchestwotags.example** local-zone will be used for all clients with at least the malware or gambling tag.
    * The used **local-zone type** will be the type specified in the matching local-zone.
      * It is possible to depend the local-zone type on the client address and tag combination.

</WRAP>

----

===== Optionally, set tag specific local-zone types =====

<code>
access-control-tag-action: 10.0.1.0/24 "malware" refuse
access-control-tag-action: 10.0.2.0/24 "malware" deny
</code>

<WRAP info>
**NOTE:**  This sets the **local-zone type** depending on the client address and tag combination.
</WRAP>


----

===== Optionally, use local-data RRs (resource records) =====

<code>
access-control-tag-data: 10.0.4.0/24 "gambling" "A 127.0.0.1"
</code>

<WRAP info>
**NOTE:**  This sets the use of local-data RRs for some specific client address/tag match.
</WRAP>


----

<WRAP info>
**NOTE:**  Sometimes you might want to override a local-zone type for a specific netblock, regardless the type configured for tagged and untagged localzones, and regardless the type configured using access-control-tag action.

  * This override can be done using **local-zone-override**.

</WRAP>

----

===== References =====

https://blog.nlnetlabs.nl/client-based-filtering-in-unbound/