use RPZ to override AAAA record

Matus UHLAR - fantomas uhlar at fantomas.sk
Fri Nov 14 14:34:44 UTC 2025 

On 07.11.25 12:52, Crist Clark wrote:
>I still don't understand why an RPZ entry of,
>
>10.zz.fe80. IN CNAME *.
>
>Doesn't work for you.

I was asking if it's supposed to work and if it can be restrcted only to 
work for specified domains.

I assume it's safe to test this, perhaps outta working time.

> Is there a reason you just want to block IPv6 LL
>addresses for this domain but allow for others?

I found that to be a better solution especially if the client decides to use 
linklocal addresses in local network.

But perhaps global ban of linklocal destinations could be just fine.

>With that line in an RPZ,
>
>$ dig @192.168.64.80 soratool.ch
>
>; <<>> DiG 9.10.6 <<>> @192.168.64.80 soratool.ch
>; (1 server found)
>;; global options: +cmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56119
>;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
>;; OPT PSEUDOSECTION:
>; EDNS: version: 0, flags:; udp: 1232
>;; QUESTION SECTION:
>;soratool.ch. IN A
>
>;; ANSWER SECTION:
>soratool.ch. 300 IN A 160.85.67.44
>
>;; Query time: 172 msec
>;; SERVER: 192.168.64.80#53(192.168.64.80)
>;; WHEN: Fri Nov 07 12:51:20 PST 2025
>;; MSG SIZE  rcvd: 56
>
>$ dig @192.168.64.80 soratool.ch aaaa
>
>; <<>> DiG 9.10.6 <<>> @192.168.64.80 soratool.ch aaaa
>; (1 server found)
>;; global options: +cmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65271
>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2
>
>;; OPT PSEUDOSECTION:
>; EDNS: version: 0, flags:; udp: 1232
>;; QUESTION SECTION:
>;soratool.ch. IN AAAA
>
>;; ADDITIONAL SECTION:
>rpz. 1 IN SOA localhost. nobody.localhost. 43 86400 43200 604800 10800
>
>;; Query time: 174 msec
>;; SERVER: 192.168.64.80#53(192.168.64.80)
>;; WHEN: Fri Nov 07 12:51:24 PST 2025
>;; MSG SIZE  rcvd: 95

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
REALITY.SYS corrupted. Press any key to reboot Universe.

More information about the bind-users mailing list