Filtering with DNS64 in place

Nico Schottelius nico.schottelius at
Tue Feb 16 18:51:59 UTC 2021

Good morning everyone,

we have peculiar request to solve and were wondering whether it is at
all possible with unbound:

For a certain source range, let's say 2001:db8::/96, we want to *only*
reply with generated DNS64 entries - i.e. we want unbound to only reply
with mapped IPv4 addresses, NOT with proper AAAA entries, if they exist.

For a different source range, let's say 2001:db:1::/64, we want to reply
only with *proper* IPv6 AAAA entries, i.e. disable DNS64 for them.

c) (optional)

In the best case, we would even like to remove A replies from the
results, in case a misconfigured client requests A records.

Background for this is that we have clients in specific networks, which
are mapped via SIIT to IPv4 addresses. These clients should never
connect to an IPv6 address (besides they actually do...) after
translation. And the clients in the other network should behave the
opposite, they should *only* connect to IPv6 hosts.

However, both client networks are IPv6 only, as there is no IPv4 link
into these networks, so we are dealing with NAT64/SIIT. And
unfortunately we don't have a lot of control over the client behaviour,
whether they will ask for A/AAAA entries, so we will need to steer them
on the DNS side.

I have seen the unbound python module support and was wondering if that
could be suitable to solve this?

Best regards,


Sustainable and modern infrastructures by

More information about the Unbound-users mailing list