Thanks, Bert, et. al.! Based on this feedback and https://github.com/fumiyas/pdns-scripts/blob/master/recursor/filter-aaaa.lua <https://github.com/fumiyas/pdns-scripts/blob/master/recursor/filter-aaaa.lua>, I tried this, and it seems to be working:
blacklisted = newDS() blacklisted:add{"netflix.com"} blacklisted:add{"netflix.net"} function postresolve(dq) if blacklisted:check(dq.qname) then local records = dq:getRecords() local records_new = {} for i, record in ipairs(records) do if record.type ~= pdns.AAAA then records_new[#records_new + 1] = record end end dq:setRecords(records_new) end return true end Now to see if the Netflix apps start behaving any better… Thanks! Nick > On Oct 7, 2019, at 1:47 AM, bert hubert <bert.hub...@powerdns.com> wrote: > > Hello everyone, > > I used to use this script: > > --[[ > Sometimes, domains break when IPv6 is used. A common example is > Netflix via an IPv6 tunnel, which Netflix interprets as a proxying > attempt. > > This function strips IPv6 from one or more subdomains. It can be called > with a single domain, like "netflix.com", or with a domain set, which > is more efficient and scales very well. > > This file is meant for including, so you can call it from your > preresolve. > Alternatively, uncomment the activation code below and you can load it > directly into your resolver with > 'lua-dns-script=strip-ipv6-from-domains.lua'. > ]]-- > > function preventIPv6ForDomains(dq, domain) > local ds=newDS() > if(type(domain) == "string") then > ds:add{domain} > else > ds=domain > end > if(dq.qtype ~= pdns.AAAA) then return false end > if(ds:check(dq.qname)) then > dq.rcode = 0 > return true > end > return false > end > > -- To activate, uncomment the block below: > > netflix=newDS() > netflix:add{"netflix.com"} > > function preresolve(dq) > return preventIPv6ForDomains(dq, "netflix.com") > end > > Perhaps useful. > > Bert > > > On Mon, Oct 07, 2019 at 02:23:07AM -0400, Aleksandr Rogozin via Pdns-users > wrote: >> Hi Nick, >> >> Since your request was to filter based on specific domains for qtype AAAA >> with custom response, I suggest looking into Response Policy Zone (RPZ) or >> LUA script. >> >> Best Regards, >> Aleksandr >> >> On Sat, Oct 5, 2019 at 23:10 Nicholas Williams < >> nicho...@nicholaswilliams.net> wrote: >> >>> I’ve got a conundrum that has kind of come to a head for me. It may be >>> 2019, but Comcast is still too incompetent to provide me with >>> properly-working IPv6, so I’ve resorted to using a Hurricane Electric >>> tunnel for IPv6 access. However, Netflix blocks all Hurricane Electric and >>> similar tunnels under the assumption that you’re trying to scam their >>> location identification and access content that you don’t have geographic >>> access to and, worse, the Netflix apps prefer IPv6 over IPv4 when it’s >>> available, so Hurricane Electric users are kinda screwed. >>> >>> In the past, I’ve dealt with this by adding a black hole route for >>> Netflix’s IPv6 prefix. However, I’m now having to block THREE /48 prefixes >>> in order to keep Netflix working, and from what I can tell that means I’m >>> now blocking most of AWS’s enter CDN, so I’m losing out on IPv6 on a bunch >>> of sites. >>> >>> This solution is really like using a sledgehammer to install a picture >>> frame hanger (and having to replace the picture frame hanger every few >>> months). A better solution is to prevent Netflix from doing AAAA lookups >>> (or somehow filter them and respond with only A results). I’m already using >>> PowerDNS Recursor for my DNS. Is there a way I can configure PowerDNS >>> Recursor so that certain domains (like Netflix) respond with only A results >>> and never return AAAA results, so that I can remove my blackhole routes? >>> >>> Thanks, >>> >>> Nick >>> >>> _______________________________________________ >>> Pdns-users mailing list >>> Pdns-users@mailman.powerdns.com >>> https://mailman.powerdns.com/mailman/listinfo/pdns-users >>> > >> _______________________________________________ >> Pdns-users mailing list >> Pdns-users@mailman.powerdns.com >> https://mailman.powerdns.com/mailman/listinfo/pdns-users >
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users