Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    BIND filter-aaaa

    Scheduled Pinned Locked Moved DHCP and DNS
    39 Posts 10 Posters 7.3k Views 9 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B Offline
      bruor @AberDino
      last edited by

      @aberdino might be good to post this over on the announcement thread, a lot of minor changes were being patched by the dev fairly quickly as they were reported over there.

      https://forum.netgate.com/topic/158592/pfblockerng-devel-v3-0-0-no-longer-bound-by-unbound

      1 Reply Last reply Reply Quote 0
      • GertjanG Offline
        Gertjan @AberDino
        last edited by Gertjan

        @aberdino said in BIND filter-aaaa:

        For example, I have entered office.com in the list, and resolution of office.com returns only an IPv4 address, but outlook.ms-acdc.office.com returns both IPv4 and IPv6 addresses. The previous no-aaaa script had "office.com." as the domain, but if I include the last "." in pfBlockerNG-devel it doesn't work at all. Effectively I want IPv4 resolution only for "*.office.com". I presume that is possible in pfBlockerNG-devel?

        The upcoming version of pfBlocker, the one after 3.0.0_7 (not yet released, it's upcoming) will do this correctly :

        Consider :
        55fe0757-c989-4d3c-96f8-61d38e0a8e7b-image.png

        ( do a Force Update after saving these settings ! - flush local DNS caches)

        [2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: host papy-team.org
        papy-team.org has address 87.98.136.44
        papy-team.org mail is handled by 20 mail2.papy-team.org.
        papy-team.org mail is handled by 10 mail.papy-team.org.
        [2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: host www.papy-team.org
        www.papy-team.org has address 87.98.136.44
        [2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: host pop.papy-team.org
        pop.papy-team.org has address 87.98.136.44
        

        So, the domain itself, and all sub domains will be A only.

        But - in the case of "www.test-domaine.fr" :

        [2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: host test-domaine.fr
        test-domaine.fr has address 5.196.43.182
        test-domaine.fr has IPv6 address 2001:41d0:2:927b::15
        test-domaine.fr mail is handled by 20 mail2.test-domaine.fr.
        test-domaine.fr mail is handled by 10 mail.test-domaine.fr.
        test-domaine.fr mail is handled by 30 mail.test-domaine.fr.
        [2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: host www.test-domaine.fr
        www.test-domaine.fr has address 5.196.43.182
        www.test-domaine.fr has IPv6 address 2001:41d0:2:927b::15
        

        Strange !!
        Only the sub domain www.test-domaine.fr should be "A" only (no AAAA). The domain itself will return an AAAA (that's ok), but the sub domain listed in the Python no AAAA List "www.test-domaine.fr" - see above - also returns an AAAA !
        (note : I'm using the upcoming 0.0._8 version here, not yet released)

        I wonder :

        .papy-team.org
        

        should block AAAA for the domain and all possible sub (and sub sub etc) domains ,
        and without the starting dot, like

        papy-team.org
        

        should block AAAA for the domain - and NOT for the sub domains ?

        Remark

        1. don't know if such a feature is needed.
        2. The syntax with the starting dot should be inversed ? Like ".papy-team.org" is blocking this domain and all sub domains, and without the starting dot, like "papy-team.org" only that domain without doing the wildcard thing ?

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        B 1 Reply Last reply Reply Quote 0
        • B Offline
          bruor @Gertjan
          last edited by bruor

          @gertjan your suggestion sounds best to me. Make it work exactly like the dnsbl whitelist function, leading ". " for all subdomains, otherwise a single record.

          A 1 Reply Last reply Reply Quote 0
          • A Offline
            AberDino @bruor
            last edited by

            @bruor
            Agreed, and thank you both.

            1 Reply Last reply Reply Quote 0
            • A Offline
              AberDino
              last edited by

              @gertjan and @bruor
              This evening I upgraded to pfBlockerNG-devel 3.0.0_8, and I can confirm that AAAA blocking now works as indicated, i.e. with the leading "." only A records are returned for all subdomains and hosts. Many thanks for your help ๐Ÿ‘ .

              A 1 Reply Last reply Reply Quote 0
              • A Offline
                AberDino @AberDino
                last edited by

                @Gertjan and @bruor
                I might have spoken too soon, as it's not working now, I'll do some further digging...

                A 1 Reply Last reply Reply Quote 0
                • A Offline
                  AberDino @AberDino
                  last edited by

                  @aberdino said in BIND filter-aaaa:

                  @Gertjan and @bruor
                  I might have spoken too soon, as it's not working now, I'll do some further digging...

                  Just to close this issue, I'm now on pfSense 2.5.0 with pfBlockerNG-devel 3.0.0_10 and the wildcard AAAA blocking works great. Thank you guys ๐Ÿ‘

                  1 Reply Last reply Reply Quote 0
                  • T throwaway29 referenced this topic on
                  • N Offline
                    Nan0tEch
                    last edited by

                    I wanted to add the no-aaaa script again to unbound when I stumbled on this thread, I'm running pfsense plus 22.05 and the latest pfblocker-ng 3.1.0_7. I cannot find the no-aaaa script as a setting in pfblocker-ng as shown by @Gertjan here.

                    Where can I find these settings foor no-aaaa?

                    B johnpozJ 2 Replies Last reply Reply Quote 0
                    • B Offline
                      bruor @Nan0tEch
                      last edited by

                      @nan0tech put pfblocker-ng in python mode under the DNSBL tab, "no AAAA" should be available in the list (has a lightning bolt next to it)

                      1 Reply Last reply Reply Quote 1
                      • johnpozJ Online
                        johnpoz LAYER 8 Global Moderator @Nan0tEch
                        last edited by

                        @nan0tech this thread is quite old.. the no AAAA thing is now here for easy consumption

                        noaaaa.jpg

                        Per @bruor comment.. I find pictures are easier for some users.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 25.07.1 | Lab VMs 2.8, 25.07.1

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.