Filter AAAA records within a specific zone
Daisuke HIGASHI
daisuke.higashi at gmail.com
Wed Jan 10 13:47:35 UTC 2018
Hi,
There seems to be two ways to mitigate HE-Netflix issue with Unbound -
* * *
If you know Netflix's all IPv6 address blocks, add these lines to unbound.conf:
server:
private-address: 2406:da00:ff00::/48
private-address: 2607:fb10::/32
private-address: 2620:0:ef0::/48
private-address: 2a00:86c0::/32
private-address: 2620:108:700f::/48
....
This configuration removes NF's AAAA(IPv6) record from Unbound's answer.
* * *
To implement AAAA filter for NF's domain,
you need to run two Unbound instances on your machine[1].
1. Start an Unbound instance which does AAAA filter for
_all_ domains (listening port 10053)
# unbound-aaaa-filter.conf
server:
private-address: ::/0 # filters out all AAAA !
port: 10053
username: ""
chroot: ""
2. Configure your main Unbound instance to forward netflix queries
to AAAA-filter'ed instance.
# unbound-main.conf
server:
do-not-query-localhost: no
forward-zone:
name: netflix.com
forward-addr: 127.0.0.1 at 10053
forward-zone:
name: nflximg.com
forward-addr: 127.0.0.1 at 10053
forward-zone:
name: nflxext.com
forward-addr: 127.0.0.1 at 10053
....
[1] essentially same method to configure BIND9's AAAA filter per domain:
https://serverfault.com/questions/826872/return-a-records-but-not-aaaa-records-on-specific-domain-in-bind9
--
Daisuke HIGASHI
More information about the Unbound-users
mailing list