If you are serious about this, dnsmasq can be used as workaround. I
think that is the only common tool, which can override one record, but
do not act authoritative for other records. Normal DNS resolvers won't
allow it. I think you should not too.
Anyway link local addresses cannot work in normal unicast DNS, because
they lack interface specification. That is always needed for them.
# dnsmasq
listen-address=127.0.0.2
bind-interfaces
address=/soratool.ch/::
# other server than your bind to prevent loops
server=8.8.8.8
# named
zone "soratool.ch" {
type forward;
forwarders { 127.0.0.2; };
};
This is quite a hack, but would allow you to do something with it. Not
sure it is worth trouble for it. If the owner does not want his site
reliable, do you need to fix it for them?
Cheers,
Petr
On 06/11/2025 17:16, Matus UHLAR - fantomas wrote:
Hello,
I maintain squid proxy server which (by default) disallows connecting
to hosts in the linklocal network (I'd say standard security practice).
We have problem with DNS name that has public IPv4 address but private
IPv6:
soratool.ch. 179 IN A 160.85.67.44
soratool.ch. 168 IN AAAA fe80::250:56ff:feaa:f5dc
fe80::/10 is linklocal address first described in Feb 2006 in RFC 4291.
Seems that the domain maintainer does not want to fix this (...)
To make it work I can redefine the policy in proxy server that
disables the rule banning linklocal address to allow this particular
domain.
However, I would prefer not to do this on proxy level.
Is there a possibility to override the AAAA record using RPZ?
From what I found, it should be possible to drop IPv6 addresses in
fe80::/10 by defining
10.0.0.0.0.0.0.0.fe80.ns-ip CNAME .
which would drop all responses pointing to linklocal address.
Is that correct?
Or, better, is it possible only to override AAAA for this particular
domain?
Thanks
--
Petr Menšík
Senior Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
