DNS Resolver Access Lists

Unbound requires access lists (ACLs) to control which clients are allowed to submit queries. By default, IPv4 and IPv6 networks residing on internal interfaces of this firewall are permitted. Additional networks must be allowed manually.

Note

The automatic ACLs may be disabled using the Disable Auto-added Access Control option on the Advanced Settings tab.

To manage access lists for the DNS Resolver, navigate to Services > DNS Resolver, Access Lists tab. This page has controls to add new entries as well as edit or delete existing entries.

When adding or editing an entry, the following options are available:

Access List Name:

The name for the access list, which appears as a comment in the access list configuration file.

Action:

Controls how Unbound will handle queries for networks contained in this access list.

Deny:

Stops queries from clients in the configured networks

Refuse:

Stops queries from clients in the configured networks and sends back a REFUSED response code

Allow:

Allows queries from clients in the configured networks

Allow Snoop:

Allows recursive and non-recursive queries from clients in the configured networks, used for cache snooping, and typically only configured on administrative hosts.

Deny Nonlocal:

Allow only authoritative local-data queries from hosts within the network on this ACL. Unbound will drop disallowed messages.

Refuse Nonlocal:

Allow only authoritative local-data queries from hosts within the network on this ACL. Unbound sends back a REFUSED response code for disallowed messages.

Description:

A longer text field for reference notes about this entry.

Networks:

A list of IPv4 or IPv6 networks governed by this access list entry.