Filtering A records in combination with DNS64

Mark Andrews marka at isc.org
Thu Feb 18 20:25:06 UTC 2021 

Have you actually played with dns64 settings?

        dns64 <netprefix> {
                break-dnssec <boolean>;
                clients { <address_match_element>; ... };
                exclude { <address_match_element>; ... };
                mapped { <address_match_element>; ... };
                recursive-only <boolean>;
                suffix <ipv6_address>;
        }; // may occur multiple times


> On 19 Feb 2021, at 06:39, Nico Schottelius <nico.schottelius at ungleich.ch> wrote:
> 
> 
> Good morning everyone,
> 
> we have peculiar request to solve and were wondering whether it is at
> all possible with bind:
> 
> a)
> For a certain source range, let's say 2001:db8::/96, we want to *only*
> reply with generated DNS64 entries - i.e. we want bind to only reply
> with mapped IPv4 addresses, NOT with proper AAAA entries, if they exist.

dns64 <netprefix> { clients { acl; }; exclude { ::/0; }; };

> b)
> For a different source range, let's say 2001:db:1::/64, we want to reply
> only with *proper* IPv6 AAAA entries, i.e. disable DNS64 for them.

dns64 <netprefix> { clients { !prefix; any; };

> 
> c) (optional)
> 
> In the best case, we would even like to remove A replies from the
> results, in case a misconfigured client requests A records.

Then you break the ability of those clients to do their own DNS64 mappings
which is required when they are doing DNSSEC themselves.

> Background for this is that we have clients in specific networks, which
> are mapped via SIIT to IPv4 addresses. These clients should never
> connect to an IPv6 address (besides they actually do...) after
> translation. And the clients in the other network should behave the
> opposite, they should *only* connect to IPv6 hosts.
> 
> However, both client networks are IPv6 only, as there is no IPv4 link
> into these networks, so we are dealing with NAT64/SIIT. And
> unfortunately we don't have a lot of control over the client behaviour,
> whether they will ask for A/AAAA entries, so we will need to steer them
> on the DNS side.
> 
> Looking forward to your replies.
> 
> Best regards,
> 
> Nico
> 
> --
> Sustainable, Modern Infrastructures by ungleich.ch
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list