Is there a way to have unbound filter/block AAAA records from being returned from a specific zone?
It seems like BIND might allow this using the filter-aaaa-on-v6 directive, I'm looking for something similar in Unbound.
The underlying issue is that we've recently added HE's IPv6 tunnelbroker to our network, but certain services *cough*Netflix*cough* reject traffic sent through a HE tunnel. I'm looking for a way to force problem services through IPv4 and it seems like one possible approach would be to limit their domains from retrieving AAAA records.
That's... Ugly. Effective though, and appreciated!
I was hoping for something that could work at the domain level rather than at the individual host level, but it appears only BIND offers this and I don't intend to switch from Unbound to BIND.
Can I assume this list has been at least somewhat static?
If not, or if I run into more services where this is an issue, I might need to bring up a BIND resolver just for these particular domains and have Unbound just forward these domains to BIND, but this too seems uglier than I'd like.
Either way, this will seem to get things working in the short term, and your efforts sorting it out and documenting are definitely making life easier in the short term, so my thanks!
I didn't try it, so I wouldn't know what happens to non-AAAA in a
variant of this wildcard config, but maybe sth like that, changed to
transparent, would work?: