-
-
Notifications
You must be signed in to change notification settings - Fork 337
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FR] Option to provide only A/AAAA records #551
Comments
It would be possible to do this with a custom dynamic library module. Simply check the type of the query, and stop the query if it isn't |
I'm having a similar issue, where fallback isn't working as expected. So, situation is:
Now imagine the following scenario, IPv6 server is down, what happens is:
This is extremely unpleasant and unnecessary since the IPv4 is reachable trough nat64, but since unbound only translates records for which there is no AAAA record, it fails. If this should be in a separate issue let me know, but this is very bad and can break happy eyeballs. Thanks! |
Hi @t-leslie, I found this issue while working on a AAAA-only feature for OPNsense. After some initial testing, this is what seems to work for me:
Yes, unbound still resolves A records and only filters them in the last step, but this seems acceptable to me. @tiagogaspar8, your issue is different and there actually is an option to "synthesize all AAAA records despite the presence of actual AAAA records": |
I +1 this request. My reasoming is Chrome (and its forks) now no longer respect Windows prefix policy, my IPv6 goes over slow connectivity so I preference IPv4, the browser ignores it, so I get slow youtube etc. So I am faced with either removing AAAA from DNS results or disabling IPv6 entirely. The former been less destructive. @maurice-w are you able to please provide your solution but for filtering IPv6 instead? Just WAN IPv6 not LAN IPv6. All IPv6 is ok if it cant do WAN only. Ended up using this for now, on pfsense also had to patch unbound.inc to add respip support.
Little update it will show both A and AAAA on first result, and only filter on 2nd result onwards. My analysis seems to indicate this will only filter 'cached' responses. |
@maurice-w |
@thomasschaeferm Yes, that's how I ended up implementing it in OPNsense without having to patch Unbound. Which is what @pavel-odintsov recently did in #819! Their approach looks much cleaner, so once it's made its way into an Unbound version used by OPNsense, I might switch to this solution. |
@thomasschaeferm Thanks for this hint. Filtering AAA with unbound can be configured with
Can we close this FR? |
As part of moving our network to IPv6 only, we're using DNS64, which works as expected with unbound when querying AAAA records for sites that only have IPv4 setups.
One challenge in taking the next step is that there does not appear to be a way to have unbound provide only AAAA records. This results in IPv6 queries resulting in A records, and continued pressure/traffic on my IPv4 system, rather than transitioning all traffic other than needed IPv4 traffic to IPv6. I'm trying to have unbound ONLY provide AAAA records.
Perhaps I'm missing a respip setting or some other query option? Respip can filter all A queries (or all AAAA queries), but it doesn't get my dig commands to see the great responses waiting for them in AAAA land. Respip also seems heavy handed, filtering after a response comes back, rather than stopping it before going out.
I can see a situation where individuals may want to restrict responses to only be A records, though that is not my circumstance.
Secondary request: Since 'dns64 subnetcache respip validator iterator' works, can we also assume that 'dns64 respip validator iterator' works and remove the error code? All 'potential error' codes throw failure notices in OpenBSD's rc script, even if it would normally start.
#unbound -V
Version 1.13.2
Configure line: --enable-allsymbols --with-ssl=/usr --with-libevent=/usr --with-libexpat=/usr --without-pythonmodule --with-chroot-dir=/var/unbound --with-pidfile= --with-rootkey-file=/var/unbound/db/root.key --with-conf-file=/var/unbound/etc/unbound.conf --with-username=_unbound --disable-shared --disable-explicit-port-randomisation --without-pthreads
Linked libs: pluggable-libevent 1.4.15-stable (it uses kqueue), LibreSSL 3.4.1
Linked modules: dns64 respip validator iterator
cat unbound.conf
server:
verbosity: 1
forward-zone:
name: "."
forward-addr: 2620:fe::fe #Quad9 IPv6
forward-addr: 2620:fe::9 #Quad9 IPv6-2
The text was updated successfully, but these errors were encountered: