use RPZ to override AAAA record
Lee
ler762 at gmail.com
Sat Nov 8 00:11:02 UTC 2025
On Fri, Nov 7, 2025 at 3:53 PM Crist Clark wrote:
>
> I still don't understand why an RPZ entry of,
>
> 10.zz.fe80. IN CNAME *.
>
> Doesn't work for you.
First
>> DiG 9.10.6
are you really running a 9.10 version of bind?!
second,
because it's missing rpz-ip?
I've got
; return NXDOMAIN for any ipv6 link local address answer
10.zz.fe80.rpz-ip CNAME . ; FE80::/10
and it doesn't work for me :(
$ dig soratool.ch aaaa
; <<>> DiG 9.18.41-1~deb12u1-Debian <<>> soratool.ch aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35871
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
; COOKIE: a24ad4c2a4633a7801000000690e8893a1267aed45545fe0 (good)
;; QUESTION SECTION:
;soratool.ch. IN AAAA
;; ANSWER SECTION:
soratool.ch. 300 IN AAAA fe80::250:56ff:feaa:f5dc
;; Query time: 108 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Nov 07 19:02:27 EST 2025
;; MSG SIZE rcvd: 96
& just for chuckles I tried
10.zz.fe80.rpz-ip CNAME .
and that didn't block it either.
> Is there a reason you just want to block IPv6 LL addresses for this domain but allow for others?
I'd rather block _all_ link local addresses except for the ones that I
whitelist ... which works for me with ipv4:
; return NXDOMAIN for any 127.0.0.0/8 answers
; exceptions:
onea.net-snmp.org CNAME rpz-passthru.
twoa.net-snmp.org CNAME rpz-passthru.
localhost CNAME rpz-passthru.
*.localhost CNAME rpz-passthru.
8.0.0.0.127.rpz-ip CNAME . ; 127.0.0.0/8
; check:
; localhost 127.0.0.1
; onea.net-snmp.org 127.0.0.1
; twoa.net-snmp.org 127.0.0.2 127.0.0.3
; 7f000001.c7f11de3.rbndr.us
; should alternate between 199.241.29.227 (allowed) and
127.0.0.1 (NXDOMAIN)
; ref: https://bugs.chromium.org/p/project-zero/issues/detail?id=1471&desc=3
it'd be nice if I could get it working with ipv6
Regards
Lee
More information about the bind-users
mailing list