Access Control Lists

Access Control Lists in Unbound determine which clients can and cannot perform queries against the DNS Resolver as well as aspects of client behavior.

The default behavior is to allow access from TNSR itself (localhost), but refuse queries from other clients.

Example:

tnsr(config)# unbound server
tnsr(config-unbound)# access-control 10.2.0.0/24 allow

The general form of the command is:

tnsr(config-unbound)# access-control <IPv4 or IPv6 Network Prefix> <action>

The IPv4 or IPv6 Network Prefix is a network specification, such as 10.2.0.0/24 or 2001:db8::/64. For a single address, use /32 for IPv4 or /128 for IPv6.

The Action types are:

allow

Allow access to recursive and local data queries for clients in the specified network.

allow_snoop

Allow access to recursive and local data queries for clients in the specified network, additionally this allows access to cache snooping. Cache snooping is a technique to use nonrecursive queries to examine the contents of the cache for debugging or identifying malicious data.

refuse

Stops queries from clients in the specified network, but sends a DNS response code REFUSED error. This is the default behavior for networks other than localhost, since it is friendly and protocol-safe response behavior.

refuse_non_local

Similar to refuse but allows queries for authoritative local data. Recursive queries are refused.

deny

Drops and does not respond to queries from clients in the specified network. In most cases a refuse action is preferable since DNS is not designed to handle a non-response. A lack of response may cause clients to send additional unwanted queries.

deny_non_local

Allows queries for authoritative local-data only, all other queries are dropped without a response.