networking:dns:unbound:tags
This is an old revision of the document!
Table of Contents
Networking - DNS - Unbound - Tags
Unbound supports tags.
- Tags make it possible to divide client source addresses into categories (tags), and use local-zone and local-data information for these specific tags.
tags was introduced in Unbound 1.5.10.
Define Tags
define-tags: "malware gambling"
NOTE: This defines two tags, one for domains containing malware, and one for domains of gambling sites.
Specify what tag to use for a specific client address
access-control-tag: 10.0.1.0/24 "malware" access-control-tag: 10.0.2.0/24 "malware" access-control-tag: 10.0.3.0/24 "gambling" access-control-tag: 10.0.4.0/24 "malware gambling"
NOTE: The access-control-tag element is used to specify the tag to use for client addresses.
- It is possible to add multiple tags to an access-control element:
- Other client addresses not within an access-control-tag will still be allowed by default.
Add tags to local-zones
local-zone: malwarehere.example refuse local-zone: somegamblingsite.example static local-zone: matchestwotags.example transparent local-zone: notags.example inform local-zone-tag: malwarehere.example malware local-zone-tag: somegamblingsite.example malware local-zone-tag: matchestwotags.example "malware gambling"
NOTE: A local-zone can have multiple tags.
- The tagged local-zones will be used if one or more tags match the client.
- E.g. the matchestwotags.example local-zone will be used for all clients with at least the malware or gambling tag.
- The used local-zone type will be the type specified in the matching local-zone.
- It is possible to depend the local-zone type on the client address and tag combination.
Optionally, set tag specific local-zone types
access-control-tag-action: 10.0.1.0/24 "malware" refuse access-control-tag-action: 10.0.2.0/24 "malware" deny
Optionally, use local-data RRs (resource records)
access-control-tag-data: 10.0.4.0/24 "gambling" "A 127.0.0.1"
NOTE: Sometimes you might want to override a local-zone type for a specific netblock, regardless the type configured for tagged and untagged localzones, and regardless the type configured using access-control-tag action.
- This override can be done using local-zone-override.
References
networking/dns/unbound/tags.1665225194.txt.gz · Last modified: 2022/10/08 10:33 by peter