use RPZ to override AAAA record

Ondřej Surý ondrej at isc.org
Fri Nov 7 11:56:57 UTC 2025 

This is just from the top of my head:

On the main resolver, define forwarder just for soratool.ch and point it to extra resolver under your control. That extra resolver would then use filter-aaaa plugin to remove all AAAA addresses from responses.

Ondrej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.

> On 7. 11. 2025, at 4:05, Matus UHLAR - fantomas <uhlar at fantomas.sk> wrote:
> 
> 
>> 
>>> I maintain squid proxy server which (by default) disallows connecting to hosts in the linklocal network (I'd say standard security practice).
>>> 
>>> We have problem with DNS name that has public IPv4 address but private IPv6:
>>> 
>>> soratool.ch.            179     IN      A       160.85.67.44
>>> soratool.ch.            168     IN      AAAA fe80::250:56ff:feaa:f5dc
> 
>> On 06.11.25 17:22, Carlos Horowicz wrote:
>> I think you can define a regular zone with this name, only if you know ALL the RRs the zone has .... overriding only AAAA and leaving all other RRs in the zone intact, maybe defining the AAAA inside an rpz zone
> 
> Yes, overriding the zone ar BIND level would require knowing all its contents, which is nearly impossible.
> 
> overriding single hostname in /etc/hosts seems easier, but the risk is not noticing when the destination address changes.
> 
> 
>> On 06.11.25 19:05, Evan Hunt wrote:
>> I don't know a way to use RPZ in BIND to pass through the A respones from
>> the original authority, but block AAAA. RPZ works on the level of the
>> name, not the type.
> 
> I was under impression that is works on contents of the reply as well, so I could drop all replies pointing to resulting IP range like this:
> 
>>> From what I found, it should be possible to drop IPv6 addresses in fe80::/10 by defining
>>> 
>>> 10.0.0.0.0.0.0.0.fe80.ns-ip    CNAME    .
> 
> This should drop all responses to all queries pointing to linklocal address, correct?
> 
>> But, you could set up an RPZ that answers for soratool.ch, and only
>> has an A record. Queries for AAAA (and any other type) would then get
>> NODATA responses:
> 
> overriding this in the RPZ would mean that only "soratool.ch" would be rewritten, not anything under the domain, but I'd apparently have to replicate other records (SOA, NS, MX, TXT).
> 
> I guess it's better than configuring own zone, but overriding in /etc/hosts would be easies and have less overhead.
> 
> 
>> Note that if they change their address at some point, you'll have to
>> update the RPZ as well.
> 
> ...which is exactly why I am searching for a way to modify/block one particular response using RPZ
> 
> --
> Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Enter any 12-digit prime number to continue.
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.

More information about the bind-users mailing list