--- /dev/null
+.. SPDX-License-Identifier: GPL-3.0-or-later
+
+.. _config-views:
+
+Views and ACLs
+==============
+
+Views allow to match clients based on source subnets, e.g. "who asked the query".
+This allows you to achieve access control, personalized blacklists and filters based on where a DNS request came from.
+
+Views allow you to combine query source information with other policy rules using :ref:`tags <config-policy-new-tags>`.
+
+The :option:`views <views: <list>>` defines a list of rules. For each request, the resolver chooses the rule with the most specific subnet matching the client's address (at most one rule may be chosen).
+Such a rule may tell the resolver to refuse to answer, set some additional options, or choose which groups of content rules would apply (see :ref:`tags <config-policy-new-tags>`).
+
+.. option:: views: <list>
+
+ .. option:: subnets: <list of subnets>
+
+ Identifies the client based on his subnet.
+
+ .. option:: tags: <list of tags>
+
+ Tags to link view with other policy. Read more about tags :ref:`here <config-policy-new-tags>`.
+
+ .. option:: answer: allow|refused|noanswer
+
+ Optional, direct approach how to handle request from clients identified by a view.
+
+ * **allow** - Clients query resolution is allowed.
+ * **refused** - Terminate query resolution and return REFUSED to the requestor.
+ * **noanswer** - Terminate query resolution and do not return any answer to the requestor.
+
+ .. warning::
+
+ During normal operation, an answer should always be returned.
+ Deliberate query drops are indistinguishable from packet loss and may cause problems as described in :rfc:`8906`.
+ Only use **noanswer** on very specific occasions, e.g. as a defense mechanism during an attack, and prefer other actions (e.g. **refused**) for normal operation.
+
+ .. option:: options:
+
+ Specific options for clients identified by the view.
+
+ .. option:: minimize: true|false
+
+ Send minimum amount of information in recursive queries to enhance privacy.
+
+ .. option:: dns64: true|false
+
+ Enable/disable DNS64.
+
+.. code-block:: yaml
+
+ views:
+ # only allow answering to specific subnets
+ - subnets: [ 0.0.0.0/0, "::/0" ] # words starting with :: need quoting
+ answer: refused
+ - subnets: [ 10.0.10.0/24, 127.0.0.1, "::1" ]
+ answer: allow
+
+.. code-block:: yaml
+
+ views:
+ - subnets: [ 2001:db8:1::/56 ]
+ tags: [ malware localnames ]
+ options:
+ dns64: true
+
+.. _RPZ: https://dnsrpz.info/