NOTE: By default everything is refused, except for localhost.

Options include:

• deny - Drop message.
• refuse - Polite error reply.
• allow - Recursive ok.
• allow_setrd - Recursive ok, rd bit is forced on.
• allow_snoop - Recursive and non-recursive ok.
• deny_non_local - Drop queries unless can be answered from local-data.
• refuse_non_local - Like deny_non_local but polite error reply.

NOTE: There are many good reasons for restricting access to your DNS server.

The first one is that a DNS server may be used as part of a denial of service attack.

• A common technique is to send queries with spoofed IP addresses to exposed recursive DNS servers, which will send their responses to what they think is the computer that made the query in the first place.
• In practice, it means that an attacker can ask the recursive server for a DNS record using a fake IP, and the owner of the IP address that was faked will get the response.
• This means that an evil entity can force a recursive server to flood a victim with DNS responses and therefore use the server as a proxy for a denial of service attack.

Another reason is that a local DNS server might contain sensitive DNS entries that are not intended to be known by outsiders.

• If you are using a local zone for naming local resources, such as printers, cameras, and NAS servers, it is better to have that information protected from outsiders.

In addition to the Unbound configuration presented here, it is a good idea to block access to your DNS server by using appropriate firewall rules.

• DNS servers listen for queries at port 53 and may support both UDP and TCP.

The access-control directives are self-explanatory.