Wiki

User Tools

Site Tools

Trace: views
networking:dns:unbound:views

This is an old revision of the document!

Table of Contents

Networking - DNS - Unbound - Views

Unbound’s views can be used to serve local data depending on the source address a query is received on.

  • View Name must be unique.
  • Map views to requests using the access-control-view option.
  • Views can contain zero or more local-zone and local-data options.
  • Options from matching views will override global options.
  • Global options will be used if no matching view is found.
    • With view-first yes, it will try to answer using the global local-zone and local-data elements if there is no view specific match.

Different Views

view:
    name: "viewname"
    local-zone: "example.com" redirect
    local-data: "example.com A 192.0.2.3"
    local-data-ptr: "192.0.2.3 www.example.com"
    view-first: no
view:
    name: "anotherview"
    local-zone: "example.com" refuse

Override DNS queries for specific clients

server:
     ...
     access-control-view: 127.0.0.0/8 intview

     local-zone: "aa." static
     local-data: "my.aa. IN A 1.1.1.1"

view:
     name: "intview"
     local-zone: "aa." static
     local-data: "my.aa. 90 IN A 2.2.2.2"

NOTE: Here the local-zone and local-data that is defined globally, pointing to 1.1.1.1, would be used for most DNS queries by default.

However, when a query comes in to 127/8, as defined in the access-control-view statement, that would be handled by the intview view, so would point to 2.2.2.2.

Queries to this instance should return the following for my.aa/A: 

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6565
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; ANSWER SECTION:
my.aa.			3600	IN	A	1.1.1.1

;; Query time: 8 msec
;; SERVER: 192.168.1.130#53(192.168.1.130)

The view named intview defines an alternative response, which is used when a query comes in to 127/8, as defined in the access-control-view statement: 

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14806
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; ANSWER SECTION:
my.aa.			90	IN	A	2.2.2.2

;; Query time: 0 msec
;; SERVER: 127.0.0.2#53(127.0.0.2)

There may be multiple view clauses, and options from views matching an access control statement will be used and override global options.

On the other hand, global options are used if no matching view is found.

NOTE: It doesn’t appear to be possible to use views other than for local data.

References

Bypass pfBlockerNG for specific clients

https://jpmens.net/2016/12/20/unbound-supports-views-for-local-data/

https://medium.com/nlnetlabs/response-policy-zones-in-unbound-5d453de75f26

networking/dns/unbound/views.1607078645.txt.gz · Last modified: 2020/12/04 10:44 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki