Table of Contents

Networking - DNS - Unbound - Tags

Tags make it possible to divide client source addresses into categories (tags), and use local-zone and local-data information for these specific tags.

tags was introduced in Unbound 1.5.10.

IMPORTANT: The tags on the netblocks and local-zones are stored in bitmaps, it is therefore advised to keep the number of tags low.

  • If a lot of clients have their own local-zones, without sharing these to other netblocks, it can results in lots of tags.
  • In this situation it is more convenient to give the client's netblock its own tree containing local-zones.
  • Another benefit of having a separate local zone tree is that it makes it possible to apply a local-zone action to a part of the domain space, without having other local-zone elements of subdomains overriding this.
  • Configuring a client specific local-zone tree can be done using Views.

Define Tags

define-tags: "malware gambling"

NOTE: This defines two tags, one for domains containing malware, and one for domains of gambling sites.


Specify what tag to use for specific client addresses

access-control-tag: 10.0.1.0/24 "malware"
access-control-tag: 10.0.2.0/24 "malware"
access-control-tag: 10.0.3.0/24 "gambling"
access-control-tag: 10.0.4.0/24 "malware gambling"

NOTE: It is possible to add multiple tags to an access-control element.

  • Other client addresses not within an access-control-tag will still be allowed by default.

Add tags to local-zones

local-zone: malwarehere.example refuse
local-zone: somegamblingsite.example static
local-zone: matchestwotags.example transparent
local-zone: notags.example inform

local-zone-tag: malwarehere.example malware
local-zone-tag: somegamblingsite.example malware
local-zone-tag: matchestwotags.example "malware gambling"

NOTE: The local-zone type can be:

  • deny serves local data (if any), else, drops queries.
  • refuse serves local data (if any), else, replies with error.
  • static serves local data, else, nxdomain or nodata answer.
  • transparent gives local data, but resolves normally for other names.
  • redirect serves the zone data for any subdomain in the zone.
  • nodefault can be used to normally resolve AS112 zones.
  • typetransparent resolves normally for other types and other names.
  • inform acts like transparent, but logs client IP address.
  • inform_deny drops queries and logs client IP address.
  • inform_redirect redirects queries and logs client IP address
  • always_transparent resolve in that way but ignore local data for that name.
  • always_refuse resolve in that way but ignore local data for that name.
  • always_nxdomain resolve in that way but ignore local data for that name.
  • noview breaks out of that view towards global local-zones.

NOTE: A local-zone-tag can have multiple tags.

  • The tagged local-zones will be used if one or more tags match the client.
    • E.g. the matchestwotags.example local-zone will be used for all clients with at least the malware or gambling tag.
    • The used local-zone type will be the type specified in the matching local-zone.
      • It is possible to depend the local-zone type on the client address and tag combination.

Optionally, set tag specific local-zone types

access-control-tag-action: 10.0.1.0/24 "malware" refuse
access-control-tag-action: 10.0.2.0/24 "malware" deny

NOTE: This sets the local-zone type depending on the client address and tag combination.


Optionally, use local-data RRs (resource records)

access-control-tag-data: 10.0.4.0/24 "gambling" "A 127.0.0.1"

NOTE: This sets the use of local-data RRs for some specific client address/tag match.


NOTE: Sometimes you might want to override a local-zone type for a specific netblock, regardless the type configured for tagged and untagged localzones, and regardless the type configured using access-control-tag action.

  • This override can be done using local-zone-override.

References

https://blog.nlnetlabs.nl/client-based-filtering-in-unbound/