Re: Filtering A records in combination with DNS64
Hey Mark,
we have deployed the dns64 settings some years ago and I did not notice
the settings at the time - but it seems their combination looks excatly
like what we were looking for.
Thanks a lot for the pointer!
Best regards,
Nico
Mark Andrews writes:
> Have you actually played with dns64 settings?
>
> dns64 {
> break-dnssec ;
> clients { ; ... };
> exclude { ; ... };
> mapped { ; ... };
> recursive-only ;
> suffix ;
> }; // may occur multiple times
>
>
>> On 19 Feb 2021, at 06:39, Nico Schottelius
>> wrote:
>>
>>
>> Good morning everyone,
>>
>> we have peculiar request to solve and were wondering whether it is at
>> all possible with bind:
>>
>> a)
>> For a certain source range, let's say 2001:db8::/96, we want to *only*
>> reply with generated DNS64 entries - i.e. we want bind to only reply
>> with mapped IPv4 addresses, NOT with proper entries, if they exist.
>
> dns64 { clients { acl; }; exclude { ::/0; }; };
>
>> b)
>> For a different source range, let's say 2001:db:1::/64, we want to reply
>> only with *proper* IPv6 entries, i.e. disable DNS64 for them.
>
> dns64 { clients { !prefix; any; };
>
>>
>> c) (optional)
>>
>> In the best case, we would even like to remove A replies from the
>> results, in case a misconfigured client requests A records.
>
> Then you break the ability of those clients to do their own DNS64 mappings
> which is required when they are doing DNSSEC themselves.
>
>> Background for this is that we have clients in specific networks, which
>> are mapped via SIIT to IPv4 addresses. These clients should never
>> connect to an IPv6 address (besides they actually do...) after
>> translation. And the clients in the other network should behave the
>> opposite, they should *only* connect to IPv6 hosts.
>>
>> However, both client networks are IPv6 only, as there is no IPv4 link
>> into these networks, so we are dealing with NAT64/SIIT. And
>> unfortunately we don't have a lot of control over the client behaviour,
>> whether they will ask for A/ entries, so we will need to steer them
>> on the DNS side.
>>
>> Looking forward to your replies.
>>
>> Best regards,
>>
>> Nico
>>
>> --
>> Sustainable, Modern Infrastructures by ungleich.ch
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> ISC funds the development of this software with paid support subscriptions.
>> Contact us at https://www.isc.org/contact/ for more information.
>>
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
--
Sustainable and modern Infrastructures by ungleich.ch
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Filtering A records in combination with DNS64
Have you actually played with dns64 settings?
dns64 {
break-dnssec ;
clients { ; ... };
exclude { ; ... };
mapped { ; ... };
recursive-only ;
suffix ;
}; // may occur multiple times
> On 19 Feb 2021, at 06:39, Nico Schottelius
> wrote:
>
>
> Good morning everyone,
>
> we have peculiar request to solve and were wondering whether it is at
> all possible with bind:
>
> a)
> For a certain source range, let's say 2001:db8::/96, we want to *only*
> reply with generated DNS64 entries - i.e. we want bind to only reply
> with mapped IPv4 addresses, NOT with proper entries, if they exist.
dns64 { clients { acl; }; exclude { ::/0; }; };
> b)
> For a different source range, let's say 2001:db:1::/64, we want to reply
> only with *proper* IPv6 entries, i.e. disable DNS64 for them.
dns64 { clients { !prefix; any; };
>
> c) (optional)
>
> In the best case, we would even like to remove A replies from the
> results, in case a misconfigured client requests A records.
Then you break the ability of those clients to do their own DNS64 mappings
which is required when they are doing DNSSEC themselves.
> Background for this is that we have clients in specific networks, which
> are mapped via SIIT to IPv4 addresses. These clients should never
> connect to an IPv6 address (besides they actually do...) after
> translation. And the clients in the other network should behave the
> opposite, they should *only* connect to IPv6 hosts.
>
> However, both client networks are IPv6 only, as there is no IPv4 link
> into these networks, so we are dealing with NAT64/SIIT. And
> unfortunately we don't have a lot of control over the client behaviour,
> whether they will ask for A/ entries, so we will need to steer them
> on the DNS side.
>
> Looking forward to your replies.
>
> Best regards,
>
> Nico
>
> --
> Sustainable, Modern Infrastructures by ungleich.ch
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Filtering A records in combination with DNS64
Good morning everyone, we have peculiar request to solve and were wondering whether it is at all possible with bind: a) For a certain source range, let's say 2001:db8::/96, we want to *only* reply with generated DNS64 entries - i.e. we want bind to only reply with mapped IPv4 addresses, NOT with proper entries, if they exist. b) For a different source range, let's say 2001:db:1::/64, we want to reply only with *proper* IPv6 entries, i.e. disable DNS64 for them. c) (optional) In the best case, we would even like to remove A replies from the results, in case a misconfigured client requests A records. Background for this is that we have clients in specific networks, which are mapped via SIIT to IPv4 addresses. These clients should never connect to an IPv6 address (besides they actually do...) after translation. And the clients in the other network should behave the opposite, they should *only* connect to IPv6 hosts. However, both client networks are IPv6 only, as there is no IPv4 link into these networks, so we are dealing with NAT64/SIIT. And unfortunately we don't have a lot of control over the client behaviour, whether they will ask for A/ entries, so we will need to steer them on the DNS side. Looking forward to your replies. Best regards, Nico -- Sustainable, Modern Infrastructures by ungleich.ch ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
