Re: use RPZ to override AAAA record

Fri, 14 Nov 2025 06:35:29 -0800 

On 07.11.25 12:52, Crist Clark wrote:

I still don't understand why an RPZ entry of,

10.zz.fe80. IN CNAME *.

Doesn't work for you.
I was asking if it's supposed to work and if it can be restrcted only to work for specified domains. 

I assume it's safe to test this, perhaps outta working time.


Is there a reason you just want to block IPv6 LL
addresses for this domain but allow for others?
I found that to be a better solution especially if the client decides to use linklocal addresses in local network. 

But perhaps global ban of linklocal destinations could be just fine.


With that line in an RPZ,

$ dig @192.168.64.80 soratool.ch

; <<>> DiG 9.10.6 <<>> @192.168.64.80 soratool.ch
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56119
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;soratool.ch. IN A

;; ANSWER SECTION:
soratool.ch. 300 IN A 160.85.67.44

;; Query time: 172 msec
;; SERVER: 192.168.64.80#53(192.168.64.80)
;; WHEN: Fri Nov 07 12:51:20 PST 2025
;; MSG SIZE  rcvd: 56

$ dig @192.168.64.80 soratool.ch aaaa

; <<>> DiG 9.10.6 <<>> @192.168.64.80 soratool.ch aaaa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65271
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;soratool.ch. IN AAAA

;; ADDITIONAL SECTION:
rpz. 1 IN SOA localhost. nobody.localhost. 43 86400 43200 604800 10800

;; Query time: 174 msec
;; SERVER: 192.168.64.80#53(192.168.64.80)
;; WHEN: Fri Nov 07 12:51:24 PST 2025
;; MSG SIZE  rcvd: 95


--
Matus UHLAR - fantomas, [email protected] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
REALITY.SYS corrupted. Press any key to reboot Universe.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list.

Reply via email to