Access Control Lists

Access Control Lists in Unbound determine which clients can and cannot perform queries against the DNS Resolver as well as aspects of client behavior.

The default behavior is to allow access from TNSR itself (localhost), but refuse queries from other clients.


tnsr(config)# unbound server
tnsr(config-unbound)# access-control allow

The general form of the command is:

tnsr(config-unbound)# access-control <IPv4 or IPv6 Network Prefix> <action>

The IPv4 or IPv6 Network Prefix is a network specification, such as or 2001:db8::/64. For a single address, use /32 for IPv4 or /128 for IPv6.

The Action types are:


Allow access to recursive and local data queries for clients in the specified network.


Allow access to recursive and local data queries for clients in the specified network, additionally this allows access to cache snooping. Cache snooping is a technique to use nonrecursive queries to examine the contents of the cache for debugging or identifying malicious data.


Allow access for clients and ignores the “recursion desired” (RD) bit in the query. All queries from these clients are treated as recursive. This violates RFC 1034 but can be useful in edge cases where queries for specific zones are forwarded to resolvers that do not allow recursion for queries to these stub zones.


Stops queries from clients in the specified network, but sends a DNS response code REFUSED error. This is the default behavior for networks other than localhost, since it is friendly and protocol-safe response behavior.


Similar to refuse but allows queries for authoritative local data. Recursive queries are refused.


Drops and does not respond to queries from clients in the specified network. In most cases a refuse action is preferable since DNS is not designed to handle a non-response. A lack of response may cause clients to send additional unwanted queries.


Allows queries for authoritative local-data only, all other queries are dropped without a response.