[Unbound-users] unbound + nsd: acl to only allow non-recursive requests?
jiri at boha.cz
Mon Feb 10 22:17:55 CET 2014
I'm trying to replace my bind server with unbound + nsd.
My DNS server works both as authoritative for a few zones and
also as a recursive resolver for a few subnets.
I configured the domains I want to serve authoritatively as stub
zones in unbound, so that the requests are forwarded to a locally
running nsd on a different port.
I need the server to allow non-recursive queries from anywhere.
I want to allow recursive queries only from specified subnets to
prevent misuse of my server for a DNS amplification attack.
The "access-control:" directive only has these actions:
allow_snoop -- allows recursive + nonrecursive querues
allow -- allows recursive queries
I am missing an action to only allow nonrecursive queries.
Then, I could do:
access-control: 220.127.116.11/24 allow_snoop
access-control: 0.0.0.0/0 allow_nonrec
to only allow recursive queries from 1.2.3.x and nonrecursive
What other options do I have?
I'm limited to a single IP address, so I can't run unbound on one
and nsd on another.
The only solution I can think of is using iptables to redirect
the DNS traffic to unbound's port for queries from 18.104.22.168/24 and
to nsd's port for other queries. Makes me sort of uneasy ;)
Would it be a totally stupid thing to implement the allow_nonrec
action for access-control? Any chances of such a patch being
accepted for unbound?
e-mail/jabber: jiri at boha.cz
More information about the Unbound-users