use RPZ to override AAAA record
Crist Clark
cjc+bind-users at pumpky.net
Fri Nov 7 20:52:54 UTC 2025
I still don't understand why an RPZ entry of,
10.zz.fe80. IN CNAME *.
Doesn't work for you. Is there a reason you just want to block IPv6 LL
addresses for this domain but allow for others?
With that line in an RPZ,
$ dig @192.168.64.80 soratool.ch
; <<>> DiG 9.10.6 <<>> @192.168.64.80 soratool.ch
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56119
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;soratool.ch. IN A
;; ANSWER SECTION:
soratool.ch. 300 IN A 160.85.67.44
;; Query time: 172 msec
;; SERVER: 192.168.64.80#53(192.168.64.80)
;; WHEN: Fri Nov 07 12:51:20 PST 2025
;; MSG SIZE rcvd: 56
$ dig @192.168.64.80 soratool.ch aaaa
; <<>> DiG 9.10.6 <<>> @192.168.64.80 soratool.ch aaaa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65271
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;soratool.ch. IN AAAA
;; ADDITIONAL SECTION:
rpz. 1 IN SOA localhost. nobody.localhost. 43 86400 43200 604800 10800
;; Query time: 174 msec
;; SERVER: 192.168.64.80#53(192.168.64.80)
;; WHEN: Fri Nov 07 12:51:24 PST 2025
;; MSG SIZE rcvd: 95
On Fri, Nov 7, 2025 at 11:34 AM Petr Menšík via bind-users <
bind-users at lists.isc.org> wrote:
> If you are serious about this, dnsmasq can be used as workaround. I
> think that is the only common tool, which can override one record, but
> do not act authoritative for other records. Normal DNS resolvers won't
> allow it. I think you should not too.
>
> Anyway link local addresses cannot work in normal unicast DNS, because
> they lack interface specification. That is always needed for them.
>
> # dnsmasq
> listen-address=127.0.0.2
> bind-interfaces
> address=/soratool.ch/::
> # other server than your bind to prevent loops
> server=8.8.8.8
>
> # named
>
> zone "soratool.ch" {
> type forward;
> forwarders { 127.0.0.2; };
> };
>
> This is quite a hack, but would allow you to do something with it. Not
> sure it is worth trouble for it. If the owner does not want his site
> reliable, do you need to fix it for them?
>
> Cheers,
> Petr
>
> On 06/11/2025 17:16, Matus UHLAR - fantomas wrote:
> > Hello,
> >
> > I maintain squid proxy server which (by default) disallows connecting
> > to hosts in the linklocal network (I'd say standard security practice).
> >
> > We have problem with DNS name that has public IPv4 address but private
> > IPv6:
> >
> > soratool.ch. 179 IN A 160.85.67.44
> > soratool.ch. 168 IN AAAA fe80::250:56ff:feaa:f5dc
> >
> > fe80::/10 is linklocal address first described in Feb 2006 in RFC 4291.
> >
> > Seems that the domain maintainer does not want to fix this (...)
> >
> > To make it work I can redefine the policy in proxy server that
> > disables the rule banning linklocal address to allow this particular
> > domain.
> >
> > However, I would prefer not to do this on proxy level.
> >
> > Is there a possibility to override the AAAA record using RPZ?
> >
> > From what I found, it should be possible to drop IPv6 addresses in
> > fe80::/10 by defining
> >
> > 10.0.0.0.0.0.0.0.fe80.ns-ip CNAME .
> >
> > which would drop all responses pointing to linklocal address.
> > Is that correct?
> >
> > Or, better, is it possible only to override AAAA for this particular
> > domain?
> >
> > Thanks
> >
> --
> Petr Menšík
> Senior Software Engineer, RHEL
> Red Hat, https://www.redhat.com/
> PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20251107/1fd557b1/attachment-0001.htm>
More information about the bind-users
mailing list