Tip
This is the documentation for the 19.12 version. Looking for the documentation of the latest version? Have a look here.
Access Control ListsΒΆ
Access Control Lists in Unbound determine which clients can and cannot perform queries against the DNS Resolver as well as aspects of client behavior.
The default behavior is to allow access from TNSR itself (localhost), but refuse queries from other clients.
Example:
tnsr(config)# unbound server
tnsr(config-unbound)# access-control 10.2.0.0/24 allow
The general form of the command is:
tnsr(config-unbound)# access-control <IPv4 or IPv6 Network Prefix> <action>
The IPv4 or IPv6 Network Prefix is a network specification, such as
10.2.0.0/24
or 2001:db8::/64
. For a single address, use /32
for IPv4
or /128
for IPv6.
The Action types are:
- allow:
Allow access to recursive and local data queries for clients in the specified network.
- allow_snoop:
Allow access to recursive and local data queries for clients in the specified network, additionally this allows access to cache snooping. Cache snooping is a technique to use nonrecursive queries to examine the contents of the cache for debugging or identifying malicious data.
- refuse:
Stops queries from clients in the specified network, but sends a DNS response code REFUSED error. This is the default behavior for networks other than localhost, since it is friendly and protocol-safe response behavior.
- refuse_non_local:
Similar to
refuse
but allows queries for authoritative local data. Recursive queries are refused.- deny:
Drops and does not respond to queries from clients in the specified network. In most cases a
refuse
action is preferable since DNS is not designed to handle a non-response. A lack of response may cause clients to send additional unwanted queries.- deny_non_local:
Allows queries for authoritative local-data only, all other queries are dropped without a response.