Networking - DNS - Unbound - Tags

Networking - DNS - Unbound - Tags

Tags make it possible to divide client source addresses into categories (tags), and use local-zone and local-data information for these specific tags.

tags was introduced in Unbound 1.5.10.

IMPORTANT: The tags on the netblocks and local-zones are stored in bitmaps, it is therefore advised to keep the number of tags low.

If a lot of clients have their own local-zones, without sharing these to other netblocks, it can results in lots of tags.
In this situation it is more convenient to give the client's netblock its own tree containing local-zones.
Another benefit of having a separate local zone tree is that it makes it possible to apply a local-zone action to a part of the domain space, without having other local-zone elements of subdomains overriding this.
Configuring a client specific local-zone tree can be done using Views.

Define Tags

define-tags: "malware gambling"

NOTE: This defines two tags, one for domains containing malware, and one for domains of gambling sites.

Specify what tag to use for specific client addresses

access-control-tag: 10.0.1.0/24 "malware"
access-control-tag: 10.0.2.0/24 "malware"
access-control-tag: 10.0.3.0/24 "gambling"
access-control-tag: 10.0.4.0/24 "malware gambling"

NOTE: It is possible to add multiple tags to an access-control element.

Other client addresses not within an access-control-tag will still be allowed by default.

Add tags to local-zones

local-zone: malwarehere.example refuse
local-zone: somegamblingsite.example static
local-zone: matchestwotags.example transparent
local-zone: notags.example inform

local-zone-tag: malwarehere.example malware
local-zone-tag: somegamblingsite.example malware
local-zone-tag: matchestwotags.example "malware gambling"

NOTE: The local-zone type can be:

deny serves local data (if any), else, drops queries.
refuse serves local data (if any), else, replies with error.
static serves local data, else, nxdomain or nodata answer.
transparent gives local data, but resolves normally for other names.
redirect serves the zone data for any subdomain in the zone.
nodefault can be used to normally resolve AS112 zones.
typetransparent resolves normally for other types and other names.
inform acts like transparent, but logs client IP address.
inform_deny drops queries and logs client IP address.
inform_redirect redirects queries and logs client IP address
always_transparent resolve in that way but ignore local data for that name.
always_refuse resolve in that way but ignore local data for that name.
always_nxdomain resolve in that way but ignore local data for that name.
noview breaks out of that view towards global local-zones.

NOTE: A local-zone-tag can have multiple tags.

The tagged local-zones will be used if one or more tags match the client.
- E.g. the matchestwotags.example local-zone will be used for all clients with at least the malware or gambling tag.
- The used local-zone type will be the type specified in the matching local-zone.
  - It is possible to depend the local-zone type on the client address and tag combination.

Optionally, set tag specific local-zone types

access-control-tag-action: 10.0.1.0/24 "malware" refuse
access-control-tag-action: 10.0.2.0/24 "malware" deny

NOTE: This sets the local-zone type depending on the client address and tag combination.

Optionally, use local-data RRs (resource records)

access-control-tag-data: 10.0.4.0/24 "gambling" "A 127.0.0.1"

NOTE: This sets the use of local-data RRs for some specific client address/tag match.

NOTE: Sometimes you might want to override a local-zone type for a specific netblock, regardless the type configured for tagged and untagged localzones, and regardless the type configured using access-control-tag action.

This override can be done using local-zone-override.

References

https://blog.nlnetlabs.nl/client-based-filtering-in-unbound/

Table of Contents