Differences

This shows you the differences between two versions of the page.

--- networking:dns:unbound:configure_access [2020/12/08 09:28] – peter
+++ networking:dns:unbound:configure_access [2022/10/08 09:09] (current) – peter
@@ Line 31: / Line 31: @@
   * **refuse** - Polite error reply.
   * **allow** - Recursive ok.
-  * **allow_setrd** - Rrecursive ok, rd bit is forced on.
+  * **allow_setrd** - Recursive ok, rd bit is forced on.
   * **allow_snoop** - Recursive and non-recursive ok.
   * **deny_non_local** - Drop queries unless can be answered from local-data.
@@ Line 44: / Line 44: @@
 The first one is that a DNS server may be used as part of a denial of service attack.
-A common technique is to send queries with spoofed IP addresses to exposed recursive DNS servers, which will send their responses to what they think is the computer that made the query in the first place.  In practice, it means that an attacker can ask the recursive server for a DNS record using a fake IP, and the owner of the IP address that was faked will get the response. This means that an evil entity can force a recursive server to flood a victim with DNS responses and therefore use the server as a proxy for a denial of service attack.
+  * A common technique is to send queries with spoofed IP addresses to exposed recursive DNS servers, which will send their responses to what they think is the computer that made the query in the first place.
+  * In practice, it means that an attacker can ask the recursive server for a DNS record using a fake IP, and the owner of the IP address that was faked will get the response.
+  * This means that an evil entity can force a recursive server to flood a victim with DNS responses and therefore use the server as a proxy for a denial of service attack.
-Another reason is that a local DNS server might contain sensitive DNS entries that are not intended to be known by outsiders.  If you are using a local zone for naming local resources, such as printers, cameras, and NAS servers, it is better to have that information protected from outsiders.
+Another reason is that a local DNS server might contain sensitive DNS entries that are not intended to be known by outsiders.
-In addition to the Unbound configuration presented here, it is a good idea to block access to your DNS server by using appropriate firewall rules. DNS servers listen for queries at port 53 and may support both UDP and TCP.
+  * If you are using a local zone for naming local resources, such as printers, cameras, and NAS servers, it is better to have that information protected from outsiders.
+In addition to the Unbound configuration presented here, it is a good idea to block access to your DNS server by using appropriate firewall rules.
+  * DNS servers listen for queries at port 53 and may support both UDP and TCP.
 The **access-control** directives are self-explanatory.
 </WRAP>
-----
-===== Further example =====
 ----
@@ Line 62: / Line 64: @@
 ===== Tag access-control =====
-Tag **access-control** with a list of tags. (in "" with spaces between).
+Tag **access-control** with a list of tags (in "" with spaces between).
 Clients using this access control element use localzones that are tagged with one of these tags.
@@ Line 99: / Line 101: @@
 access-control-view: 192.0.2.0/24 viewname
 </code>
+----
+===== References =====
+https://blog.nlnetlabs.nl/client-based-filtering-in-unbound/