Filtering IPv6 AAAA records?
Mark Andrews
marka at isc.org
Tue Jul 24 23:56:52 UTC 2012
In message <CAEBgQMwhZkpsd=apJDZYdCg+5HMzqsW_UeFM2hgngczMjK0r_w at mail.gmail.com>
, Paul Reilly writes:
> Hello gurus,
>
> Is it possible using the BIND resolver to filter out AAAA record replies to
> end clients?
BIND 9.10 has the following but we are not yet up to alpha release state
yet.
3327. [func] Added 'filter-aaaa-on-v6' option; this is similar
to 'filter-aaaa-on-v4' but applies to IPv6
connections. (Use "configure --enable-filter-aaaa"
to enable this option.) [RT #27308]
> Since Google added an IPv6 AAAA record, I'm having problems with some Macs
> trying to connect to Google on IPv6 instead of IPv4.
> We have a partial IPv6 network. IPv6 works internally, but outbound
> internet access is only permitted using IPv4.
One needs to ask "why?". There are plenty of tunnel providers if
your ISP don't offer native IPv6 and most of them are free and there
are stateful IPv6 firewalls that can be configured to allow in only
reply traffic.
> However the Macs are seeing the IPv6 address for google.com, and trying to
> connect over IPv6 which eventually just times out.
Are you routers generating ICMPv6 unreachables? Are you letting
them reach the clients? You need to make the network behave as if
there is a down external IPv6 link and the router that is connected
to it is sending back unreachables.
> We don't have desktop control over our large Mac user base, so turning off
> IPv6 is not so easy.
Are you Mac's running Lion? It does a good job of moving traffic
to IPv4 if IPv6 is unreachable.
> I was thinking I could configure BIND to only return A records from
> google.com and not any AAAA records.
>
> Is this possible?
>
> Thanks
> Paul
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list