On Wed, 08 Sep 2010 22:24 +0100, "Simon Kelley"
<si...@thekelleys.org.uk> wrote:
> dnsm...@flyingout.name wrote:
> > Is there a way to block the AAAA records as well?
>
> No but there probably should be.
Cool.
>
> What IPv6 ranges need to be blocked? the IPv4-mapped ones obviously, but
> ::1 also? What about the fe80:: link-local addresses.
>
Good question. (And I'll admit that I'm no expert here.) Definitely the
IPv4 mapped and ::1. From an ongoing discussion I've been having
elsewhere, here's a list for discussion:
::1
::0/96
0/8
RFC1918:
10.0.0.0/8 ::ffff:10.0.0.0/120
172.16.0.0/12 ::ffff:172.16.0.0/116
192.168.0.0/8 ::ffff:192.168.0.0/120
And loopback:
127.0.0.1/8 ::ffff:127.0.0.1/120
There was a suggestion for:
169.254.0.0/16
::ffff:169.254.0.0/112
FE80::/10
although I'm not sure there's much of a threat there. On the other hand,
they don't have much reason to be coming from public resolvers, either.
Paul
