Return A records but not AAAA records on specific domain in bind9

domain-name-system bind

Solution 1:

I know this is an old post, but (at least) in my version of bind (9.11 on Ubuntu 18.04) I discovered that you can use filter-aaaa-on-v4 combined with match-destinations in a view.

It still requires you to have bind listening on 2 ip adresses, but at least you don't need multiple instances.

192.168.1.1 is the normal dns server. 192.168.1.2 is the ipv6 blocking one.

My config looks kind of like this (partial):

options {
    listen-on port 53 { 192.168.1.1; };
    listen-on port 5353 { 192.168.1.2; };
};

view "ipv4only" {
  match-destinations { 192.168.1.2/24; };
  filter-aaaa-on-v4 yes;
};

view "normal" {
  match-clients { 192.168.1.1/24; };
  zone "netflix.com" {
    type forward;
    forward only;
    forwarders { 192.168.1.2 port 5353; };
  };
};

That makes bind do a forward lookup to itself on another ip, when the domain matches netflix.com.

This eliminates the need for two instances, but sadly requires 2 internal ip adresses. It would be nice if we also could specify a port number in "match-destinations".

Solution 2:

As is indicated by the comments, bind may not be capable of this. However, I managed to solve the problem with a work-around:

Firstly, I added a second bind service listening on port 5353 with just the following configuration file:

acl mynetworks {
    localhost;
    (And a list with my various LAN networks such as 192.168.0.0/24;)
};

acl everyone {
    any;
};

options {
    directory "/var/cache/bind-ipv4limited";
    filter-aaaa-on-v4 yes;
    #dnssec-validation auto;
    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;
    dnssec-lookaside . trust-anchor dlv.isc.org.;
    recursion yes;
    allow-query { mynetworks; };

    forwarders {
        8.8.8.8;
        8.8.4.4;
    };
    forward only;

    auth-nxdomain no;    # conform to RFC1035
    listen-on port 5353 { any; };
};

The key here is to use "filter-aaaa-on-v4 yes;" so it ignores AAAA requests.

Then in the original bind service, I added a zone for netflix.com that uses the above DNS service:

zone "netflix.com" {
    type forward;
    forward only;
    forwarders {
        127.0.0.1 port 5353;
    };
};

It's an ugly hack, but it seems to work.

Related

A technical term to describe adjectives like "fast", "long", "strong", "large", "deep", "loud", etc
Can not login after change limits.conf
Psychopath vs. Sociopath [closed]
git reports "No space left on device", but df -h says there is is 2.5G available [duplicate]
How should I understand "tone" in this context?
Windows 10 iSCSI Boot
"Both of" vs. just "both" with mathematical symbols
ClamAV and MalDet - Are these quarantined or infected?
Forward slashes: are they acceptable in Commonwealth English prose?
Correct basic mail DNS records
Where and when did the negative connotations of "manipulation" appear?
Docker on mac on VMWare