unbound: responses based on requesting address
We have a specific use-case where requests to our DNS resolver should be answered dependent on the address of the requesting client. Somehow, unbound was giving me hard time when trying to implement that. After asking for help on the unbound-users mailing list, the necessary configuration got much clearer.
So here is a config snippet (which works) for our use case. There are two networks (sued and west) which unbound is serving. Each of them has a specific tag within the configuration file.
server:
define-tag: "sued west"
Two zones (node.ffhh and knoten.ffhh) are defined which should be handled differently depending on the network from which the request originated. Both tags are assigned to both zones.
local-zone: "node.ffhh." redirect
local-zone-tag: "node.ffhh." "sued west"
local-zone: "knoten.ffhh." redirect
local-zone-tag: "knoten.ffhh." "sued west"
For each tag the corresponding networks are defined (IPv4 and IPv6).
access-control-tag: 10.112.64.0/19 "sued"
access-control-tag: 10.112.96.0/19 "west"
access-control-tag: 2a03:2267:1::/48 "sued"
access-control-tag: 2a03:2267:2::/48 "west"
Afterwards, the ressource records served to the clients in the two networks are defined. This now happens for both zones at the same time, which was a little bit confusing for me at the beginning. So one could say that ressource records are assigned to tags, not to zones.
access-control-tag-data: 10.112.64.0/19 "sued" "AAAA 2a03:2267:1::1"
access-control-tag-data: 10.112.64.0/19 "sued" "A 10.112.64.1"
access-control-tag-data: 10.112.96.0/19 "west" "AAAA 2a03:2267:2::1"
access-control-tag-data: 10.112.96.0/19 "west" "A 10.112.96.1"
access-control-tag-data: 2a03:2267:1::/48 "sued" "AAAA 2a03:2267:1::1"
access-control-tag-data: 2a03:2267:1::/48 "sued" "A 10.112.64.1"
access-control-tag-data: 2a03:2267:2::/48 "west" "AAAA 2a03:2267:2::1"
access-control-tag-data: 2a03:2267:2::/48 "west" "A 10.112.96.1"
Depending on your use case the redirect type at the beginning is not the best choice. Consult the unbound documentation for further types.