BIND: Disabling IPv6 responses in bind dns server

BIND: Disabling IPv6 responses in bind dns server

When using Bind9 as DNS service in your own network, it can be helpful to disable IPv6 (AAAA) responses to avoid the client to try to communicate via IPv6 if it hasn't been setup.

When doing a DNS request for a domain which has both IPv4 and IPv6 entries you could have a response like:

~] host www.example.org
www.example.org has address 93.184.216.34
www.example.org has IPv6 address 2606:2800:220:1:248:1893:25c8:1946

# or
~] host www.wikipedia.org
www.wikipedia.org is an alias for dyna.wikimedia.org.
dyna.wikimedia.org has address 91.198.174.192
dyna.wikimedia.org has IPv6 address 2620:0:862:ed1a::1

You can check ipv6 aaaa record with awesome linux dig utility also:

~] dig AAAA www.example.org

; <<>> DiG 9.16.22-Debian <<>> AAAA www.example.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31420
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
; COOKIE: 405da6e620b47a7d010000006437cf4a86aedff0e973e470 (good)
;; QUESTION SECTION:
;www.example.org.               IN      AAAA

;; ANSWER SECTION:
www.example.org.        82447   IN      AAAA    2606:2800:220:1:248:1893:25c8:1946

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Apr 13 11:45:46 CEST 2023
;; MSG SIZE  rcvd: 100

To disable IPv6 (AAAA) responses we can filter it out when it is doing a DNS request over IPv4 with filter-aaaa.so plugin. filter-aaaa.so is a query plugin module for named, enabling named to omit some IPv6 addresses when responding to clients.

To do this we edit /etc/bind/named.conf and add new section for filter-aaaa.so plugin:

plugin query "filter-aaaa.so" {
    filter-aaaa-on-v4 yes;
    filter-aaaa-on-v6 yes;
    filter-aaaa { any; };
};

Once this is done reload configuration or restart Bind9:

# reload bind configuration
~] rndc reload

# or restart bind dns server
~] systemctl restart named

Now, you can check new configuration:

~] host -4 www.wikipedia.org 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases: 

www.wikipedia.org is an alias for dyna.wikimedia.org.
dyna.wikimedia.org has address 91.198.174.192

You receive only ipv4 record also for ipv6 dns requests:

~] host -6 www.wikipedia.org 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: ::ffff:127.0.0.1#53
Aliases: 

www.wikipedia.org is an alias for dyna.wikimedia.org.
dyna.wikimedia.org has address 91.198.174.192

Disable ipv6 dns responses for view bind statement

If you use a view statement in bind configuration, you can see this log message: when using 'view' statements, all plugins must be defined in views.

You must define configuration for filter-aaaa.so plugin in a view statement:

view "dns-default" {
    match-clients { any; };
    match-destinations { any; };
    recursion yes;

.
.
.

    plugin query "filter-aaaa.so" {
        filter-aaaa-on-v4 yes;
        filter-aaaa-on-v6 yes;
        filter-aaaa { any; };
    };

};

bind options

Resources

SUBSCRIBE FOR NEW ARTICLES

@
comments powered by Disqus