This is just from the top of my head: On the main resolver, define forwarder just for soratool.ch and point it to extra resolver under your control. That extra resolver would then use filter-aaaa plugin to remove all AAAA addresses from responses.
Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 7. 11. 2025, at 4:05, Matus UHLAR - fantomas <[email protected]> wrote: > > >> >>> I maintain squid proxy server which (by default) disallows connecting to >>> hosts in the linklocal network (I'd say standard security practice). >>> >>> We have problem with DNS name that has public IPv4 address but private IPv6: >>> >>> soratool.ch. 179 IN A 160.85.67.44 >>> soratool.ch. 168 IN AAAA fe80::250:56ff:feaa:f5dc > >> On 06.11.25 17:22, Carlos Horowicz wrote: >> I think you can define a regular zone with this name, only if you know ALL >> the RRs the zone has .... overriding only AAAA and leaving all other RRs in >> the zone intact, maybe defining the AAAA inside an rpz zone > > Yes, overriding the zone ar BIND level would require knowing all its > contents, which is nearly impossible. > > overriding single hostname in /etc/hosts seems easier, but the risk is not > noticing when the destination address changes. > > >> On 06.11.25 19:05, Evan Hunt wrote: >> I don't know a way to use RPZ in BIND to pass through the A respones from >> the original authority, but block AAAA. RPZ works on the level of the >> name, not the type. > > I was under impression that is works on contents of the reply as well, so I > could drop all replies pointing to resulting IP range like this: > >>> From what I found, it should be possible to drop IPv6 addresses in >>> fe80::/10 by defining >>> >>> 10.0.0.0.0.0.0.0.fe80.ns-ip CNAME . > > This should drop all responses to all queries pointing to linklocal address, > correct? > >> But, you could set up an RPZ that answers for soratool.ch, and only >> has an A record. Queries for AAAA (and any other type) would then get >> NODATA responses: > > overriding this in the RPZ would mean that only "soratool.ch" would be > rewritten, not anything under the domain, but I'd apparently have to > replicate other records (SOA, NS, MX, TXT). > > I guess it's better than configuring own zone, but overriding in /etc/hosts > would be easies and have less overhead. > > >> Note that if they change their address at some point, you'll have to >> update the RPZ as well. > > ...which is exactly why I am searching for a way to modify/block one > particular response using RPZ > > -- > Matus UHLAR - fantomas, [email protected] ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > Enter any 12-digit prime number to continue. > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
