Bug 4231 - [FEATURE REQ] Allow unbound to listen on an interface, not just IPs/subnets, and allow listening negation
[FEATURE REQ] Allow unbound to listen on an interface, not just IPs/subnets, ...
Status: ASSIGNED
Product: unbound
Classification: Unclassified
Component: server
1.8.3
All All
: P5 enhancement
Assigned To: unbound team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-03-02 16:28 CET by Stilez
Modified: 2019-03-05 09:06 CET (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stilez 2019-03-02 16:28:33 CET
At present Unbound's listening options are limited to a list of IPs and subnets. This makes it difficult if one wishes to listen to all incoming requests on a specific interface, for example if dynamically assigned virtual IPs are in use.

It's also a bit cumbersome to specify when listening should apply to "all except" an IP or set of subnets. For example, listening to requests on the WAN *except for* requests from our remote office/remote known IPs, or when we want to listen for all queries on the LAN *except for* some specific host which is to be denied at this time.

It would be helpful to be able to specify:

interface: em0                 (listen for any connections from any IP on em0)
interface: -192.168.5.6        (don't listen to these IPs/subnets that
interface: -8.8.0.0/16                         would otherwise be listened to)
Comment 1 Wouter Wijngaards 2019-03-04 09:24:04 CET
Hi Stilez,

I think some of this may already exist, the following perhaps?

You can list IP-addresses that are not there (yet) in interface: lines with the ip-transparent: yes and ip-freebind: yes options.  They allow you to bind to them even though they do not exist (yet) or are down.

You can also use interface-automatic: yes  This will listen to all queries over all interfaces.

If you want to deny a single host on the LAN or a particular subnet of the LAN, the access-control statement can do that.  You specify the IP-address or subnet that you want to refuse and give that as 'refuse'.  You can also 'deny' (drop the packet instead of a refusal error).  And 'allow', and you can nest subnets with allow and deny to add or leave out particular subnets.

Best regards, Wouter
Comment 2 Stilez 2019-03-05 01:35:55 CET
I hadn't considered using access control to counter unwanted listening. That would work.

As to the other point, I don't think those ideas work. All of them require to specify IPs to listen on, rather than an actual interface. You can specify IPs that don't yet exist or are down, but you can only specify IPs at this time.

In some cases you don't know the IPs to listen on, or you want to listen on an interface on all IPs that may exist. In some situations you can't realistically specify the IPs, and you wouldn't want to have a process constantly updating them. You just want to say "listen to everything on em0" or whatever it might be, and be done.
Comment 3 Wouter Wijngaards 2019-03-05 09:06:26 CET
Hi Stilez,

The interface-automatic: yes , does not require a list of IPs, it will use all of them.  It is not restricted to a single interface, but it does do what you ask on that point.  Perhaps that solves your problem?

Best regards, Wouter