search

NLnetLabs / unbound

Unbound is a validating, recursive, and caching DNS resolver.
https://nlnetlabs.nl/unbound
BSD 3-Clause "New" or "Revised" License
3.07k stars 349 forks source link

Multiple "server:" clause (so server configurations) into the the same unbound.conf #339

Closed iz8mbw closed 1 year ago

iz8mbw commented 3 years ago

Hi. Sorry, just a question.

Is it possible to have multiple server: clause (so server configurations) into the the same unbound.conf file in order to have different unbound behavior using one unbound process?

Since I'm really interested to this https://github.com/NLnetLabs/unbound/issues/210 to avoid unwanted traffic (malware, porn, etc...) on my children's devices, I'm doing it by myself using iptables. So my idea is to have two different unbound configurations and listen on differente ports, example: Port udp 53: normal (opened) DNS -> forward-addr: 1.1.1.1 (Cloudflare DNS) Port udp 54: filtered content DNS -> forward-addr: 1.1.1.3 (Cloudflare for Families DNS) and after with iptables I forward, for my children's devices (based on IP address), the DNS traffic (port 53) to port 54 so for my children's devices unbound will answer with filtered content DNS.

Example of iptables: iptables -t nat -A PREROUTING -i eth0 --src 192.168.1.150 -p udp --dport 53 -j REDIRECT --to-port 54

Or should I run multiple unbound instance (multiple process) with different config file per each session? Example:

unbound 1 -> /etc/unbound/unbound.conf unbound 2 -> /etc/unbound/unbound2.conf

I have unbound built from source code in /usr/local/sbin/unbound

Thanks.

gthess commented 3 years ago

Hi,

Currently what you are asking is not possible as described also in #210. For what you are describing I can see 3 solutions:

  1. What you are already doing with IP tables; redirecting to the same IP but different port (2 unbounds running);
  2. Having 2 unbounds running on different IPs and same ports and configure both on your machines (or DHCP or similar). Then you can have access-control on the open unbound to refuse queries from the children's devices. The childrens' devices then will ask the filtered unbound for answers. This is similar to 1 above but the access list is now in unbound instead of iptables;
  3. If you have access to a family friendly RPZ feed, you can have only one unbound configured to apply the RPZ feed on certain devices using access-control-tag with RPZ.

Hope that helps for now.

You could also post any further questions in the unbound-users mailing list. Maybe users with similar situations/experience could chip in.

gthess commented 1 year ago

Closing as inactive non-issue.