Wiki

User Tools

Site Tools

Trace: views setup_an_openvpn_server tags
networking:dns:unbound:tags

This is an old revision of the document!

Table of Contents

Networking - DNS - Unbound - Tags

Tags make it possible to divide client source addresses into categories (tags), and use local-zone and local-data information for these specific tags.

tags was introduced in Unbound 1.5.10.

Define Tags

define-tags: "malware gambling"

NOTE: This defines two tags, one for domains containing malware, and one for domains of gambling sites.

Specify what tag to use for specific client addresses

access-control-tag: 10.0.1.0/24 "malware"
access-control-tag: 10.0.2.0/24 "malware"
access-control-tag: 10.0.3.0/24 "gambling"
access-control-tag: 10.0.4.0/24 "malware gambling"

NOTE: It is possible to add multiple tags to an access-control element.

  • Other client addresses not within an access-control-tag will still be allowed by default.

Add tags to local-zones

local-zone: malwarehere.example refuse
local-zone: somegamblingsite.example static
local-zone: matchestwotags.example transparent
local-zone: notags.example inform

local-zone-tag: malwarehere.example malware
local-zone-tag: somegamblingsite.example malware
local-zone-tag: matchestwotags.example "malware gambling"

NOTE: A local-zone can have multiple tags.

  • The tagged local-zones will be used if one or more tags match the client.
    • E.g. the matchestwotags.example local-zone will be used for all clients with at least the malware or gambling tag.
    • The used local-zone type will be the type specified in the matching local-zone.
      • It is possible to depend the local-zone type on the client address and tag combination.

Optionally, set tag specific local-zone types

access-control-tag-action: 10.0.1.0/24 "malware" refuse
access-control-tag-action: 10.0.2.0/24 "malware" deny

Optionally, use local-data RRs (resource records)

access-control-tag-data: 10.0.4.0/24 "gambling" "A 127.0.0.1"

NOTE: Sometimes you might want to override a local-zone type for a specific netblock, regardless the type configured for tagged and untagged localzones, and regardless the type configured using access-control-tag action.

  • This override can be done using local-zone-override.

References

https://blog.nlnetlabs.nl/client-based-filtering-in-unbound/

networking/dns/unbound/tags.1665225297.txt.gz · Last modified: 2022/10/08 10:34 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki