filter queries for A records from some clients
Mark Andrews
marka at isc.org
Fri Mar 11 00:37:20 UTC 2022
> On 11 Mar 2022, at 10:40, Brian J. Murrell <brian at interlinx.bc.ca> wrote:
>
> I am trying to do some testing of an IPv6-only network here using some
> nat64 to reach the "legacy" :-) IPv4 Internet. My network is currently
> dual-stack.
>
> I have dns64 query mapping working, but I am still seeing some clients
> that I am trying to test with (that still have IPv4 addresses until the
> test proves successful) using IPv4 to the Internet. I can only surmise
> that this is a case where the client did a happy-eyeballs query for
> both A and AAAA records and got an A record back first.
That’s not how happy eyeballs works.
Or they have IPv4 address literals.
Or the AAAA lookup by the DNS64 server failed.
Or the IPv6 connection failed and they have fallen back to IPv4. Happy
eyeballs speeds this up.
> To that effort, I want to try filtering out A record queries (or
> responses) from those clients so that they only get the AAAA results
> back whether those are real IPv6 addresses or dns64 mapped addresses.
I suggest that you just filter the IPv4 traffic returning ICMP UNREACHABLE
and possibly TCP RST (works better than ICMP UNREACHABLE usually) to the
clients in the test if you want to simulate a true IPv6-only network.
Alternatively turn off DHCPv4 for the hosts that are part of the test in
the DHCPv4 server.
When you are doing DNS64 the clients really need to be able to make A
queries successfully as they may be doing DNS64 synthesis themselves.
Ultimately DNS64 really isn’t what should be used. If I was running a ISP
I would not use DNS64. If you want to use a NAT64 populate ipv4only.arpa
with the correct AAAA records for your NAT64 (RFC 7050 for the older clients)
as well as RFC 8781 (Discovering PREF64 in Router Advertisements, for the newer
clients) and run 464XLAT (CLAT<->NAT64) in your CPE. DNS64 has lots of bad
side effects and limitations and should be avoided where possible.
There are a number of ways to do IPv4AAS. DNS64/NAT64 should be right at the
bottom of the list.
This all said there is the filter-a plug-in.
> Is there any way to filter A queries or replies to achieve this goal?
>
> I am noticing the .rpz-ip trigger, but being pretty green at RPZ policy
> writing, it's not clear to me if that can be used to filter just A
> records.
>
> Cheers,
> b.
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list