You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description:
Currently, Unbound’s access-control-view and tag assignments operate solely based on the source IP address of incoming DNS queries. This behavior limits the ability to apply different policies or views for clients where ECS (EDNS Client Subnet) data is present in the query.
It would be highly beneficial to introduce functionality that allows access-control-view and tag assignments to consider ECS data when present. This enhancement would enable more granular policy enforcement for DNS queries, especially in scenarios where clients communicate through public IPs, but ECS data reflects their private subnet.
Key Benefits:
1. Improved Policy Control: By considering ECS data, Unbound could dynamically apply views or tags based on the client’s private subnet (e.g., internal users behind NAT).
2. Enhanced Use of RPZ: This feature would allow Response Policy Zones (RPZ) or other filtering mechanisms to better align with ECS data.
3. Flexible Network Scenarios: Supports more complex network environments where source IP alone is not sufficient to determine policies.
Proposed Implementation:
1. Extend access-control-view to include optional ECS-aware logic.
• If ECS data is present, prioritize it for view assignment.
• Fallback to source IP if no ECS data is provided.
2. Allow tag and tag-actions to utilize ECS data for conditional assignments.
• Introduce a new configuration option (e.g., ecs-access-control) for enabling this feature.
3. Include a configuration flag to toggle ECS consideration for these features, ensuring backward compatibility.
Use Case Example:
In a corporate environment, clients from private subnets (e.g., 10.0.0.0/8) access DNS resolvers via public NAT IPs. By embedding ECS data, Unbound could:
• Apply private network views (view_private) for these queries based on ECS.
• Assign tags like internal_user for targeted filtering or response policies.
This enhancement would significantly expand Unbound’s flexibility in modern network environments where ECS data is increasingly used for client-specific DNS resolution.
The text was updated successfully, but these errors were encountered:
Description:
Currently, Unbound’s access-control-view and tag assignments operate solely based on the source IP address of incoming DNS queries. This behavior limits the ability to apply different policies or views for clients where ECS (EDNS Client Subnet) data is present in the query.
It would be highly beneficial to introduce functionality that allows access-control-view and tag assignments to consider ECS data when present. This enhancement would enable more granular policy enforcement for DNS queries, especially in scenarios where clients communicate through public IPs, but ECS data reflects their private subnet.
Key Benefits:
1. Improved Policy Control: By considering ECS data, Unbound could dynamically apply views or tags based on the client’s private subnet (e.g., internal users behind NAT).
2. Enhanced Use of RPZ: This feature would allow Response Policy Zones (RPZ) or other filtering mechanisms to better align with ECS data.
3. Flexible Network Scenarios: Supports more complex network environments where source IP alone is not sufficient to determine policies.
Proposed Implementation:
1. Extend access-control-view to include optional ECS-aware logic.
• If ECS data is present, prioritize it for view assignment.
• Fallback to source IP if no ECS data is provided.
2. Allow tag and tag-actions to utilize ECS data for conditional assignments.
• Introduce a new configuration option (e.g., ecs-access-control) for enabling this feature.
3. Include a configuration flag to toggle ECS consideration for these features, ensuring backward compatibility.
Use Case Example:
In a corporate environment, clients from private subnets (e.g., 10.0.0.0/8) access DNS resolvers via public NAT IPs. By embedding ECS data, Unbound could:
• Apply private network views (view_private) for these queries based on ECS.
• Assign tags like internal_user for targeted filtering or response policies.
References:
•
• Related GitHub issue: #573.
This enhancement would significantly expand Unbound’s flexibility in modern network environments where ECS data is increasingly used for client-specific DNS resolution.
The text was updated successfully, but these errors were encountered: