block all AAAA queries for specific domain?
Rick van der Zwet
info at rickvanderzwet.nl
Thu Sep 20 14:00:46 UTC 2018
On 2018-08-27 16:09, Jeremy Baker via Unbound-users wrote:
> On 08/17/2018 04:48 PM, Rick van der Zwet via Unbound-users wrote:
...
>> For debugging purposes, I am trying to block (only) AAAA queries from
>> a specific domain and it's subdomains.
...
>> Does somebody has a work-around available to make my debugging effort
>> easier?
>>
> This would certainly make my life easier as well, since netflix is
> constantly adding new host names that I have to disable ipv6 for.
Ales suggested dnsdist [1] in front of the unbound instance. It works
fine for me, using the following configuration:
# cat /usr/local/etc/dnsdist.conf
-- Disallow Netflix AAAA queries
addAction(AndRule({RegexRule("netflix.com$"), QTypeRule(dnsdist.AAAA)}),
RCodeAction(dnsdist.NXDOMAIN))
-- All other traffic to local Unbound instance (interface:
127.0.0.1 at 5353)
newServer("127.0.0.1:5353")
-- Local Network configuration
setLocal('127.0.0.1:53')
setACL('127.0.0.0/8')
addLocal('192.168.178.1:53')
addACL('192.168.178.1/24')
addLocal('[2001:984:ac89:ffff::1]:53')
addACL('2001:984:ac89::/48')
addLocal('172.17.107.20:53')
addACL('172.16.0.0/12')
How-ever a patch supporting wildcard domains in local-data would also be
appreciated :-)
Best regards,
-Rick
[1] https://dnsdist.org
More information about the Unbound-users
mailing list