-
Notifications
You must be signed in to change notification settings - Fork 211
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unbound #455
Comments
Yes, you can achieve client isolation in Unbound to prevent clients from seeing each other's queries or interacting indirectly. Here are the steps to implement it:
Unbound allows you to set up views, which are essentially isolated configurations for different clients or client groups. Each view can have separate zones, access control, and response policies. Example for two clients: view: view:
Restrict query access using access-control to ensure clients can only query zones they are allowed to access: access-control: 192.168.1.1/32 allow # Client 1's IP
Define local-zone and local-data to allow only specific internal zones for each client. For example: local-zone: "client1.local." static local-zone: "client2.local." static
QNAME minimization ensures upstream DNS resolvers receive only the minimal information required to resolve queries. While it doesn’t directly isolate clients, it reduces data leakage: qname-minimisation: yes
Prevent Unbound from forwarding client subnet information upstream using the client-subnet-always-forward option: client-subnet-always-forward: no
Assign tags to clients and enforce policies to block or allow access to specific resources: access-control: 192.168.1.1/32 allow tag: client1 tag-action: client1 deny client2
Enable query logging to verify that clients cannot query or interact with each other's data: log-queries: yes By combining these techniques, you can ensure complete isolation between DNS clients, preventing them from accessing each other's data or resources. |
The text was updated successfully, but these errors were encountered: