A Way to"Block" all AAAA Queries?

[KevinFumbles]

I have been wanting to block all IPv6 traffic on my network, so I have a Reject rule on my firewall for all IPv6 traffic. However I also want to prevent clients from even attempting IPv6 by blocking all AAAA queries at the DNS level.

I tried using the Drop Requests app, but then I was getting some serious latency (~10 sec) due to the clients waiting for the AAAA response to connect, even though the A response was near instantaneous. Is there a way currently, or as an additional feature, to respond to all AAAA queries with :: instead of just dropping them - possibly with the Advanced Blocking app?

Thanks again for the amazing software!

[ShreyasZare]

Thanks for asking. Yes, you can do that with Conditional Forwarder zone.

Create a conditional forwarder zone with name as . i.e. the root zone and select This Server as the forwarder. Once the zone is created, add an AAAA record with subdomain name as * (wildcard record) and enter the ipv6 address as ::. Now, for all AAAA queries, the record you added will be matched and returned while any other record type will be internally forwarded to "This Server" and will resolve as usual.

Let me know if that works for you.

[KevinFumbles]

That seemed to work perfectly! Thanks!!

[bcookatpcsd]

Sorry for the bump..

Is this still the best way in July 2023?

The Drop Requests app seems to be the way.. but I could not figure out how it works..

Thank you in advance.

[ShreyasZare]

Sorry for the bump..

Is this still the best way in July 2023?

The Drop Requests app seems to be the way.. but I could not figure out how it works..

Thank you in advance.

The Drop Request app will work too but the side effect using it is that the client may keep retrying multiple times for the AAAA request. If there are just a few clients then it may not be an issue but if there are too many then there will be unnecessary flood of AAAA requests with each client retrying 2-3 times.

So, conditional forwarder zone method works best since the forwarder zone is designed to allow overriding responses.

[bcookatpcsd]

I put something together this AM on a segment..

This is the type 28 filtering

I also added type 65 filtering..

In your experience.. any caveats about filtering type 65 out as well?

I cannot understand what the type 65 request is, I understand it to be like type 33..

Thank you in advance.

[ShreyasZare]

I put something together this AM on a segment..

This is the type 28 filtering

I also added type 65 filtering..

In your experience.. any caveats about filtering type 65 out as well?

I cannot understand what the type 65 request is, I understand it to be like type 33..

Thank you in advance.

There is another option that you can try using the NO DATA app. Install the app and add an APP record in the forwarder zone with the record data json to contain only AAAA and HTTPS types. Remove the AAAA and HTTPS records that you have added earlier. This will cause the DNS server to return empty response instead of :: address. I think that will be much cleaner response to clients.

The HTTPS records are quite new and only a handful of websites are using it. Some web browsers are supporting it so they try to resolve the HTTPS record along with A and AAAA records. The benefit of HTTPS record is that the website can give the web browsers some heads up so that the web browser can directly connect using HTTP/2 or HTTP/3 instead of trying to discover the protocol support and then upgrading. There are a lot many features that HTTPS records support which cannot be completely described in this short comment.

Since you want to block all ipv6 connections, blocking HTTPS record too will be required.

[bcookatpcsd]

(just to share)

I have five different domains in this one snapshot of 'right now'

Like this?

I saved and flushed cache..

Looks like I missed something..

 drill -s www.google.com @10.20.0.6 HTTPS
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 43404
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
;; QUESTION SECTION:
;; www.google.com.      IN      HTTPS

;; ANSWER SECTION:
www.google.com. 2379    IN      HTTPS   1 . alpn=h2,h3

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:
www.google.com. 632     IN      A       142.251.33.68
www.google.com. 804     IN      AAAA    2607:f8b0:400a:806::2004

;; Query time: 0 msec
;; SERVER: 10.20.0.6
;; WHEN: Wed Jul 12 11:04:51 2023
;; MSG SIZE  rcvd: 101

(thank you..)

[ShreyasZare]

You need to make these changes:

• Make the APP record wildcard so edit and use * as the name.
• Remove the ANY type in the APP record else it will apply to all types. Keep only AAAA and HTTPS.

Try again once these changes are done.

[bcookatpcsd]

Seemed to have figured it out..

[bcookatpcsd]

replied at the same time..

Made your suggestions..

The default @ records seems to need to be disabled.. otherwise I keep getting results from queries..

@ disabled

[I] root@void-d51d87 /e/d/logs (master)# drill -s maps.google.com @10.20.0.6 AAAA
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 12779
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; maps.google.com.     IN      AAAA

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 10.20.0.6
;; WHEN: Wed Jul 12 11:32:46 2023
;; MSG SIZE  rcvd: 33

@ enabled

[I] root@void-d51d87 /e/d/logs (master)# drill -s maps.google.com @10.20.0.6 AAAA
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 28074
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; maps.google.com.     IN      AAAA

;; ANSWER SECTION:
maps.google.com.        612     IN      AAAA    2607:f8b0:400a:80a::200e

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 10.20.0.6
;; WHEN: Wed Jul 12 11:32:56 2023
;; MSG SIZE  rcvd: 61

[bcookatpcsd]

@ enabled

[I] root@void-d51d87 /e/d/logs (master)# drill -s www.google.com @10.20.0.6 HTTPS
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 65358
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;; www.google.com.      IN      HTTPS

;; ANSWER SECTION:
www.google.com. 2208    IN      HTTPS   1 . alpn=h2,h3

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:
www.google.com. 482     IN      A       142.251.33.68

;; Query time: 0 msec
;; SERVER: 10.20.0.6
;; WHEN: Wed Jul 12 11:37:29 2023
;; MSG SIZE  rcvd: 73

@ disabled

[I] root@void-d51d87 /e/d/logs (master)# drill -s www.google.com @10.20.0.6 HTTPS
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 12303
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; www.google.com.      IN      HTTPS

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 10.20.0.6
;; WHEN: Wed Jul 12 11:37:41 2023
;; MSG SIZE  rcvd: 32

[bcookatpcsd]

Just figured out what happens with @ turned off..

That's back on.. and APP is disabled..

[ShreyasZare]

It seems to be an issue with the NO DATA app for wildcard case for root zone scenario. Will get the app updated in a day so that it will work as expected.

[ShreyasZare]

The NO DATA app is fixed. Do update the app and setup the forwarder zone as shown below: