use RPZ to override AAAA record

Petr Menšík pemensik at redhat.com
Fri Nov 7 19:34:15 UTC 2025 

If you are serious about this, dnsmasq can be used as workaround. I 
think that is the only common tool, which can override one record, but 
do not act authoritative for other records. Normal DNS resolvers won't 
allow it. I think you should not too.

Anyway link local addresses cannot work in normal unicast DNS, because 
they lack interface specification. That is always needed for them.

# dnsmasq
listen-address=127.0.0.2
bind-interfaces
address=/soratool.ch/::
# other server than your bind to prevent loops
server=8.8.8.8

# named

zone "soratool.ch" {
     type forward;
     forwarders { 127.0.0.2; };
};

This is quite a hack, but would allow you to do something with it. Not 
sure it is worth trouble for it. If the owner does not want his site 
reliable, do you need to fix it for them?

Cheers,
Petr

On 06/11/2025 17:16, Matus UHLAR - fantomas wrote:
> Hello,
>
> I maintain squid proxy server which (by default) disallows connecting 
> to hosts in the linklocal network (I'd say standard security practice).
>
> We have problem with DNS name that has public IPv4 address but private 
> IPv6:
>
> soratool.ch.            179     IN      A       160.85.67.44
> soratool.ch.            168     IN      AAAA fe80::250:56ff:feaa:f5dc
>
> fe80::/10 is linklocal address first described in Feb 2006 in RFC 4291.
>
> Seems that the domain maintainer does not want to fix this (...)
>
> To make it work I can redefine the policy in proxy server that 
> disables the rule banning linklocal address to allow this particular 
> domain.
>
> However, I would prefer not to do this on proxy level.
>
> Is there a possibility to override the AAAA record using RPZ?
>
> From what I found, it should be possible to drop IPv6 addresses in 
> fe80::/10 by defining
>
> 10.0.0.0.0.0.0.0.fe80.ns-ip    CNAME    .
>
> which would drop all responses pointing to linklocal address.
> Is that correct?
>
> Or, better, is it possible only to override AAAA for this particular 
> domain?
>
> Thanks
>
-- 
Petr Menšík
Senior Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

More information about the bind-users mailing list