block all AAAA queries for specific domain?

Unbound
1

Hi,

For debugging purposes, I am trying to block (only) AAAA queries from a specific domain and it's subdomains.

Currently I have to specify them all by hand, which is cumbersome since the list dynamic e.g.:

         local-zone: "netflix.com" typetransparent
         local-data: "netflix.com AAAA ::1"
         local-data: "moderate.ftl.netflix.com AAAA ::1"
         local-data: "www.latency.prodaa.netflix.com AAAA ::1"
         local-data: "www.netflix.com AAAA ::1"
         local-data: "www.geo.netflix.com AAAA ::1"
         local-data: "ichnaea-web.netflix.com AAAA ::1"
         local-data: "appboot.netflix.com AAAA ::1"
         local-data: "appboot.latency.prodaa.netflix.com AAAA ::1"
         local-data: "ios.nccp.netflix.com AAAA ::1"
         local-data: "ichnaea-web.geo.netflix.com AAAA ::1"
         local-data: "ichnaea-web.us-west-2.prodaa.netflix.com AAAA ::1"
         local-data: "ichnaea-web.us-west-1.prodaa.netflix.com AAAA ::1"

I rather have something like:
         local-zone: "netflix.com" typetransparent
         local-data: "*.netflix.com AAAA ::1"

Does somebody has a work-around available to make my debugging effort easier?

Best regards,
-Rick

2

This would certainly make my life easier as well, since netflix is
constantly adding new host names that I have to disable ipv6 for.

3

...

For debugging purposes, I am trying to block (only) AAAA queries from
a specific domain and it's subdomains.

...

Does somebody has a work-around available to make my debugging effort
easier?

This would certainly make my life easier as well, since netflix is
constantly adding new host names that I have to disable ipv6 for.

Ales suggested dnsdist [1] in front of the unbound instance. It works fine for me, using the following configuration:

# cat /usr/local/etc/dnsdist.conf
-- Disallow Netflix AAAA queries
addAction(AndRule({RegexRule("netflix.com$"), QTypeRule(dnsdist.AAAA)}), RCodeAction(dnsdist.NXDOMAIN))

-- All other traffic to local Unbound instance (interface: 127.0.0.1@5353)
newServer("127.0.0.1:5353")

-- Local Network configuration
setLocal('127.0.0.1:53')
setACL('127.0.0.0/8')

addLocal('192.168.178.1:53')
addACL('192.168.178.1/24')

addLocal('[2001:984:ac89:ffff::1]:53')
addACL('2001:984:ac89::/48')

addLocal('172.17.107.20:53')
addACL('172.16.0.0/12')

How-ever a patch supporting wildcard domains in local-data would also be appreciated :slight_smile:

Best regards,
-Rick

[1] https://dnsdist.org

4

Small note, the "." probably needs escaping: RegexRule("netflix\.com$")

Simon