On Wed, 08 Sep 2010 22:24 +0100, "Simon Kelley" <si...@thekelleys.org.uk> wrote: > dnsm...@flyingout.name wrote:
> > Is there a way to block the AAAA records as well? > > No but there probably should be. Cool. > > What IPv6 ranges need to be blocked? the IPv4-mapped ones obviously, but > ::1 also? What about the fe80:: link-local addresses. > Good question. (And I'll admit that I'm no expert here.) Definitely the IPv4 mapped and ::1. From an ongoing discussion I've been having elsewhere, here's a list for discussion: ::1 ::0/96 0/8 RFC1918: 10.0.0.0/8 ::ffff:10.0.0.0/120 172.16.0.0/12 ::ffff:172.16.0.0/116 192.168.0.0/8 ::ffff:192.168.0.0/120 And loopback: 127.0.0.1/8 ::ffff:127.0.0.1/120 There was a suggestion for: 169.254.0.0/16 ::ffff:169.254.0.0/112 FE80::/10 although I'm not sure there's much of a threat there. On the other hand, they don't have much reason to be coming from public resolvers, either. Paul