Hi, On 03/06/18 19:17, Ict Security via Unbound-users wrote: > Hi all, > > i have defined access control for a specific class of IPs and > everything is working fine, both for recursive and private class > requests. > > Now, i would like to define a static zone and grant everyone (public) > to query *only* this zone, without allowing to recursion.
Yes there are two access-control types for that from the access-control statement. The deny_non_local allows requests to local-zones (and auth-zones with for-downstream: yes) and drops recursion requests. The refuse_non_local sends an rcode REFUSED message instead of dropping disallowed requests. Just set everyone with an access-control statement. Access-control statements are applied with the most-specific; so that if you give a /8 deny_non_local and another /24 allow; then the /24 is allowed everything and everyone else only the local-zone and for-downstream auth-zone information. Or give a /0. You would need a 0.0.0.0/0 for IP4 and a ::0/0 for IP6 to cover everyone. You can also carve out more specific subnets and disallow with access-control type 'deny' that drops messages from them. Note that this would allow access to all the local-zones and auth-zones for-downstream, and not just that specific zone. Something that you can fix, in this case, if you want to, by putting the local-zone in a view for everyone and putting local-zones for the specific group in another view. And then use the access-control-view statement. Or tag the local-zone and use the access-control-tag statement. Best regards, Wouter > > Is it possible? > Thank you > > F >
signature.asc
Description: OpenPGP digital signature
