Maintained by: NLnet Labs

[Unbound-users] Whitelist some domains, blacklist everything else

Ondřej Surý
Sun May 16 19:12:35 CEST 2010

2010/5/16 Alexander E. Patrakov <patrakov at>

> 16.05.2010 22:01, Carsten Krüger wrote:
>> Hello,
>> is it possible with unbound to allow only lookups on whitelisted
>> domains and answer all others with or NXDOMAIN?
> No.

Well, I wouldn't be so strict, something like this could probably be done
using forwarding:

name: whitelist1.dom

name: whitelist2.dom

name: .
  forward-addr: <ip_of_dummy_nameserver_returning always nxdomain, f.e.
running on>

But you are doing it wrong. DNS is a bad place for this kind of filtering.
Implement transparent HTTP proxy with block list or even simple firewall
rules are better. Protection on DNS level is very fragile and probably could
be easily circumvented if not implemented together with strict firewall

Ondřej Surý <ondrej at>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>