Re: use RPZ to override AAAA record

Fri, 07 Nov 2025 01:06:15 -0800

I maintain squid proxy server which (by default) disallows connecting to hosts in the linklocal network (I'd say standard security practice).
We have problem with DNS name that has public IPv4 address but private IPv6: 

soratool.ch.            179     IN      A       160.85.67.44
soratool.ch.            168     IN      AAAA fe80::250:56ff:feaa:f5dc


On 06.11.25 17:22, Carlos Horowicz wrote:

I think you can define a regular zone with this name, only if you know 
ALL the RRs the zone has .... overriding only AAAA and leaving all 
other RRs in the zone intact, maybe defining the AAAA inside an rpz 
zone



Yes, overriding the zone ar BIND level would require knowing all its 
contents, which is nearly impossible.



overriding single hostname in /etc/hosts seems easier, but the risk is not 
noticing when the destination address changes.



On 06.11.25 19:05, Evan Hunt wrote:

I don't know a way to use RPZ in BIND to pass through the A respones from
the original authority, but block AAAA. RPZ works on the level of the
name, not the type.



I was under impression that is works on contents of the reply as well, so I 
could drop all replies pointing to resulting IP range like this:



From what I found, it should be possible to drop IPv6 addresses in 
fe80::/10 by defining


10.0.0.0.0.0.0.0.fe80.ns-ip    CNAME    .



This should drop all responses to all queries pointing to linklocal address, 
correct?



But, you could set up an RPZ that answers for soratool.ch, and only
has an A record. Queries for AAAA (and any other type) would then get
NODATA responses:



overriding this in the RPZ would mean that only "soratool.ch" would be 
rewritten, not anything under the domain, but I'd apparently have to 
replicate other records (SOA, NS, MX, TXT).



I guess it's better than configuring own zone, but overriding in /etc/hosts 
would be easies and have less overhead.




Note that if they change their address at some point, you'll have to
update the RPZ as well.



...which is exactly why I am searching for a way to modify/block one particular 
response using RPZ


--
Matus UHLAR - fantomas, [email protected] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Enter any 12-digit prime number to continue.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list.























					Reply via email to