use RPZ to override AAAA record

Matus UHLAR - fantomas uhlar at fantomas.sk
Fri Nov 7 09:05:31 UTC 2025 

>>I maintain squid proxy server which (by default) disallows 
>>connecting to hosts in the linklocal network (I'd say standard 
>>security practice).
>>
>>We have problem with DNS name that has public IPv4 address but 
>>private IPv6:
>>
>>soratool.ch.            179     IN      A       160.85.67.44
>>soratool.ch.            168     IN      AAAA fe80::250:56ff:feaa:f5dc

On 06.11.25 17:22, Carlos Horowicz wrote:
>I think you can define a regular zone with this name, only if you know 
>ALL the RRs the zone has .... overriding only AAAA and leaving all 
>other RRs in the zone intact, maybe defining the AAAA inside an rpz 
>zone

Yes, overriding the zone ar BIND level would require knowing all its 
contents, which is nearly impossible.

overriding single hostname in /etc/hosts seems easier, but the risk is not 
noticing when the destination address changes.


On 06.11.25 19:05, Evan Hunt wrote:
>I don't know a way to use RPZ in BIND to pass through the A respones from
>the original authority, but block AAAA. RPZ works on the level of the
>name, not the type.

I was under impression that is works on contents of the reply as well, so I 
could drop all replies pointing to resulting IP range like this:

>>From what I found, it should be possible to drop IPv6 addresses in 
>>fe80::/10 by defining
>>
>>10.0.0.0.0.0.0.0.fe80.ns-ip    CNAME    .

This should drop all responses to all queries pointing to linklocal address, 
correct?

>But, you could set up an RPZ that answers for soratool.ch, and only
>has an A record. Queries for AAAA (and any other type) would then get
>NODATA responses:

overriding this in the RPZ would mean that only "soratool.ch" would be 
rewritten, not anything under the domain, but I'd apparently have to 
replicate other records (SOA, NS, MX, TXT).

I guess it's better than configuring own zone, but overriding in /etc/hosts 
would be easies and have less overhead.


>Note that if they change their address at some point, you'll have to
>update the RPZ as well.

...which is exactly why I am searching for a way to modify/block one particular 
response using RPZ

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Enter any 12-digit prime number to continue.

More information about the bind-users mailing list