bind-server-filter-aaaa: forcing domains to resolve only to IPv4 addresses

This guide explains how to set up a local nameserver that prevents certain domain names from resolving to IPv6 addresses (AAAA records). This is useful if you are using an IPv6-over-IPv4 tunnel (such as IPv6 with Hurricane Electric) and want to use network services that don't support IPv6 tunnels. This setup will strip AAAA records from your specified domains--forcing them to use IPv4 only--while allowing IPv6 for all other domains.

NOTE

Installing bind-server will temporarily interfere with/deactivate dnsmasq. After you install bind-server, you will stop it and edit its configuration file so that it can coexist with dnsmasq.

Installation

Log into the router through ssh.

Install at least the following packages:

  • bind-rndc
  • bind-server
  • bind-server-filter-aaaa
  • bind-dig

After installing bind-server, stop it with /etc/init.d/named stop.

Configuration

You will set up named to listen on port 2053 on loopback addresses, then configure dnsmasq to forward the domains that you want to filter to named.

Edit /etc/bind/named.conf

At the top level add:

plugin query "/usr/lib/bind/filter-aaaa.so" {
  filter-aaaa-on-v4 yes;
  filter-aaaa-on-v6 yes;
};

Add this inside the options section:

  	listen-on port 2053 { 127.0.0.1; };
  	listen-on-v6 port 2053 { ::1; };
        forward only;
        forwarders {
           // your ISP's DNS servers,
           // or your preferred replacements for them
           // examples:
           // 8.8.8.8;
           // 208.67.222.222;
        };

Enable and restart named

service named enable
service named start

Test named

Test that your filtered domain (example.com) has no AAAA records, according to your named:

dig @127.0.0.1 -p 2053 example.com AAAA

should provide you with a NOERROR response such as this:

; <<>> DiG 9.18.0 <<>> @127.0.0.1 -p 2053 example.com AAAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34488
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 0bfa47e834f331f5010000006225150efca3ef92e372acd9 (good)
;; QUESTION SECTION:
;example.com.			IN	AAAA

;; Query time: 50 msec
;; SERVER: 127.0.0.1#2053(127.0.0.1) (UDP)
;; WHEN: Sun Mar 06 15:09:50 EST 2022
;; MSG SIZE  rcvd: 68

Whereas querying a public DNS server:

dig @8.8.8.8 -p 53 example.com AAAA

will return the IPv6 addresses for the filtered domain, such as:

; <<>> DiG 9.18.0 <<>> @8.8.8.8 -p 53 example.com AAAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8182
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;example.com.			IN	AAAA

;; ANSWER SECTION:
example.com.		60	IN	AAAA	fe80::1
example.com.		60	IN	AAAA	fe80::2
example.com.		60	IN	AAAA	fe80::3

;; Query time: 30 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Sun Mar 06 15:10:39 EST 2022
;; MSG SIZE  rcvd: 124

Configure dnsmasq

Now that named is filtering out AAAA records for all domains, you will add rules for dnsmasq to forward only the domains from which you want to strip AAAA records to your named:

uci add_list dhcp.@dnsmasq[0].server='/example.com/127.0.0.1#2053'
uci add_list dhcp.@dnsmasq[0].server='/example.net/127.0.0.1#2053'
uci commit
/etc/init.d/dnsmasq restart

Test dnsmasq forwarding of the domains

Test that your filtered domain (example.com) has no AAAA records, according to your dnsmasq:

dig @127.0.0.1 -p 53 example.com AAAA

With a result similar to the result direct from named:

; <<>> DiG 9.18.0 <<>> @127.0.0.1 -p 53 example.com AAAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8399
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 9177638017b6a493010000006225159305ed84045f766c04 (good)
;; QUESTION SECTION:
;example.com.			IN	AAAA

;; Query time: 40 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Sun Mar 06 15:12:03 EST 2022
;; MSG SIZE  rcvd: 68
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2022/03/06 20:19
  • by atownlede