Is it okay to drop DNS type AAAA queries

If a DNSSEC server has no zones with AAAA records. What potential problems could there be by dropping DNS type AAAA (28; 0x1c) queries at the firewall?

Same as dropping type ANY (255; 0xff). Just replace the type with AAAA (28; 0x1c).


Solution 1:

All your clients would wait for a few seconds on every DNS lookup, for starters. IPv6 is not optional and modern operating systems treat it as such. A client looking for an address will look up both AAAA and A records, even if it does not seem to have any IPv6 connectivity at that exact moment. If you drop one of the queries, the client software doing the DNS lookup will wait until a timeout before returning an error. You will thus annoy your users with a needless slowdown.

Back around 2012, some Juniper firewalls did by accident what you propose to do on purpose, and would drop the AAAA response, even though the client specifically requested A and AAAA records. Juniper eventually did fix this, but it caused quite a bit of annoyance to anybody stuck with this malfunctioning equipment.

And of course it's 2020 and your entire network should have already been IPv6 for the last several years, with IPv4 dual stacked or even deprecated to legacy stuff. But some places are extraordinarily slow to join this century, and you're probably working at one...