Hello everyone, I used to use this script:
--[[ Sometimes, domains break when IPv6 is used. A common example is Netflix via an IPv6 tunnel, which Netflix interprets as a proxying attempt. This function strips IPv6 from one or more subdomains. It can be called with a single domain, like "netflix.com", or with a domain set, which is more efficient and scales very well. This file is meant for including, so you can call it from your preresolve. Alternatively, uncomment the activation code below and you can load it directly into your resolver with 'lua-dns-script=strip-ipv6-from-domains.lua'. ]]-- function preventIPv6ForDomains(dq, domain) local ds=newDS() if(type(domain) == "string") then ds:add{domain} else ds=domain end if(dq.qtype ~= pdns.AAAA) then return false end if(ds:check(dq.qname)) then dq.rcode = 0 return true end return false end -- To activate, uncomment the block below: netflix=newDS() netflix:add{"netflix.com"} function preresolve(dq) return preventIPv6ForDomains(dq, "netflix.com") end Perhaps useful. Bert On Mon, Oct 07, 2019 at 02:23:07AM -0400, Aleksandr Rogozin via Pdns-users wrote: > Hi Nick, > > Since your request was to filter based on specific domains for qtype AAAA > with custom response, I suggest looking into Response Policy Zone (RPZ) or > LUA script. > > Best Regards, > Aleksandr > > On Sat, Oct 5, 2019 at 23:10 Nicholas Williams < > nicho...@nicholaswilliams.net> wrote: > > > I’ve got a conundrum that has kind of come to a head for me. It may be > > 2019, but Comcast is still too incompetent to provide me with > > properly-working IPv6, so I’ve resorted to using a Hurricane Electric > > tunnel for IPv6 access. However, Netflix blocks all Hurricane Electric and > > similar tunnels under the assumption that you’re trying to scam their > > location identification and access content that you don’t have geographic > > access to and, worse, the Netflix apps prefer IPv6 over IPv4 when it’s > > available, so Hurricane Electric users are kinda screwed. > > > > In the past, I’ve dealt with this by adding a black hole route for > > Netflix’s IPv6 prefix. However, I’m now having to block THREE /48 prefixes > > in order to keep Netflix working, and from what I can tell that means I’m > > now blocking most of AWS’s enter CDN, so I’m losing out on IPv6 on a bunch > > of sites. > > > > This solution is really like using a sledgehammer to install a picture > > frame hanger (and having to replace the picture frame hanger every few > > months). A better solution is to prevent Netflix from doing AAAA lookups > > (or somehow filter them and respond with only A results). I’m already using > > PowerDNS Recursor for my DNS. Is there a way I can configure PowerDNS > > Recursor so that certain domains (like Netflix) respond with only A results > > and never return AAAA results, so that I can remove my blackhole routes? > > > > Thanks, > > > > Nick > > > > _______________________________________________ > > Pdns-users mailing list > > Pdns-users@mailman.powerdns.com > > https://mailman.powerdns.com/mailman/listinfo/pdns-users > > > _______________________________________________ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users