Filter out AAAA DNS responses

November 7, 2020

Tl;DR: with RPZ we can hide AAAA records while preserving other records

For those who look up the way to filter out AAAA records in their local caching DNS server here is my unbound snippet for a single ipv6 address:

$ cat /etc/unbound/rpz.home
$ORIGIN rpz.home.
;; fails to resolve:
;; block 2607:fcc0:4:ffff::4/128 -> NODATA (CNAME *.) CNAME *.

$ cat /etc/unbound/unbound.conf
    ... usual configuration goes here
    module-config: "respip validator iterator"

    name: rpz.home.
    zonefile: /etc/unbound/rpz.home

Resolver can’t see the ipv6 address, only ipv4:

$ dig AAAA @      21599   IN      AAAA    2607:fcc0:4:ffff::4
$ dig AAAA | fgrep AAAA
# nothing

$ dig A @      21599   IN      A
$ dig A      20091   IN      A

You can do full subnetworks as well.


The other day I tried to reach programmatically over HTTP API and observed traffic blackholing. wget was also showing hangups:

$ wget
--2020-09-19 09:24:22--
Resolving 2607:fcc0:4:ffff::4,
Connecting to|2607:fcc0:4:ffff::4|:80...
# hung up

$ wget -4
--2020-09-19 09:25:02--
Connecting to||:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
2020-09-19 09:25:03 (1.08 MB/s) - 'index.html' saved [13934]

As a workaround I added AAAA response filtering locally as specified in TL;DR to unblock the scripts.