ipv6 disable on Pfsense
-
Hello all.
1.how to disable ipv6 on PfSense? for ifconfig not to give out a string inet6?
2. And DNS Resolver in Diagnostics\Tables\Table to Display not resolution ipv6 addresses?
for example:
178.18.231.121
178.18.231.122
2a02:26f0:d8:394::356e
2a02:26f0:d8:3a2::356e -
@lucas1 said in ipv6 disable on Pfsense:
1.how to disable ipv6 on PfSense? for ifconfig not to give out a string inet6?
By disabling it.
Here : System => Advanced => Networking and remove the check from "Allow IPv6".@lucas1 said in ipv6 disable on Pfsense:
- And DNS Resolver in Diagnostics\Tables\Table to Display not resolution ipv6 addresses?
Even if you disable IPv6, you can't disable IPv6 on pfSense itself.
These days, IPv6 is the main network protocol - and IPv4 is the "tolerated while time lasts" protocol.
So, your DNS - the Resolver - will still resolve any URL to AAAA and A if they exist.But if you disabled IPv6, IPv6 traffic won't pass the network interface anymore, so any device will fail back to IPv4 at the end.
edit : this forum works very well using IPv6 - as are the majority of all sites on the Internet.
Windows devices on your LAN : same thing. Except if you for them not to use IPv6.
Maybe it's time to really do what is good for the future : make you IPv6 work. -
Thanks for the answer.
System => Advanced => Networking and remove the check from "Allow IPv6".
This does not disable any IPv6 features on the firewallNo,
In FreeBSD releases 9.0 and later, IPv6 is enabled by default. To disable it,- Edit the file /etc/rc.conf
- Add the following line to the file
ipv6_network_interfaces="none" # Default is auto
Where rc.conf (or other file instead) in Pfsense 2_4_4p2? In etc\rc.conf - no change here writen.
-
Why is it you want to disable IPv6? If your ISP doesn't support it, then disabling it won't make a difference. If it is supported, why do you want to not use it?
-
Because in our local network is not used IPv6 and do not plan to introduce yet IPv6.
-
@lucas1 said in ipv6 disable on Pfsense:
Because in our local network is not used IPv6 and do not plan to introduce yet IPv6.
While ignoring IPv6 in 2019 is a big mistake, unchecking Allow IPv6 (and therefore silently blocking any IPv6 packages on the firewall) is completely fine. No need to tinker with the network stack and disable v6 on the system side just because you don't roll out IPv6 (yet!).
-
@lucas1 said in ipv6 disable on Pfsense:
Because in our local network is not used IPv6 and do not plan to introduce yet IPv6.
So, what does disabling it get you? As mentioned above, disabling it these days is a mistake as the world is moving to it.
Incidentally, while this has nothing to do with pfSense, if you're running Windows computers, IPv6 may already be in use. Some things won't work without it.
-
Don't enable IPv6 on your inside networks then.
If you don't want any IPv6 at all, do the same thing on your WAN(s).
-
@JKnott said in ipv6 disable on Pfsense:
IPv6 may already be in use. Some things won't work without it.
Sorry but this is just not true...
Because in our local network is not used IPv6 and do not plan to introduce yet IPv6.
This is actually the correct way to look at it... Until such time that they are ready to work with and control IPv6 correctly... It should be just turned off..
These days, IPv6 is the main network protocol - and IPv4 is the "tolerated while time lasts" protocol.
Yeah sorry not true... So 25% is the "main" protocol ;)
https://whynoipv6.com/
Out of the top 1000 Alexa sites, only 328 has IPv6 enabled, and 750 of them use nameservers with IPv6 enabled.
Of the total 902708 sites only 20.9% of them have IPv6.So only 21% of top 1000 sites are IPv6... Doesn't seem like majority protocol to me..
-
@johnpoz said in ipv6 disable on Pfsense:
Sorry but this is just not true...
Microsoft HomeGroup networking requires IPv6. It won't work without it. However, as it relies on link local addresses, pfSense wouldn't be involved. I believe some Microsoft games require IPv6 too, which is why Xbox supports Teredo, for use on networks that don't otherwise have IPv6.
Incidentally, last night I had a senior tech from my ISP at my home, to work on that IPv6 problem I mentioned a while ago. I saw he had Teredo enabled on his computer. I told him to get rid of it, as it can cause confusion when working on IPv6 problems, as he might be expected to do in his job. I also had to explain the difference between GUA and ULA addresses. It's real "fun" having to educate the support people about IPv6. I haven't talked to one yet that knows as much about IPv6 as I do.
They finally isolated the problem to the CMTS I'm connected to. I was trying to tell them that's where the problem was 2 months ago!.
-
Yeah the real barrier to IPv6 adoption is stupid ISP shenanigans.
Once people have the epiphany that you deal with the address space in /64 interfaces and not all those "wasted" host addresses things start clicking.
-
@Derelict said in ipv6 disable on Pfsense:
Yeah the real barrier to IPv6 adoption is stupid ISP shenanigans.
Once people have the epiphany that you deal with the address space in /64 interfaces and not all those "wasted" host addresses things start clicking.
I first noticed the problem back around New Years, when web pages were sluggish to load and my email app would time out, trying to send email. I discovered that IPv6 wasn't working, even though I had a prefix. I tried some testing, including pinging Yahoo, with Wireshark running between my modem and Firewall. I noticed if I pinged from pfSense, it worked, but not from anything behind it. That smelled like a prefix issue to me. I could see the correct prefix going out, but nothing at all coming back. Further, I made a capture when pfSense was booting up and found this little gem:
Status Message: No prefix available on Link 'CMTS89.WLFDLE-BNDL1-GRP3'
Even though I had demonstrated to tier 2 support that the problem was at the CMTS, the network guys didn't want to work on the problem, because they don't work on problems on customer's networks!!! I got the office of the president involved, and a bit of testing, on 2 occasions, by the senior tech, before they finally opened a ticket on the CMTS problem.
One mistake that senior tech made, when I wasn't here, was he tried pinging the ULA (the cable modem provides both GUA and ULA prefixes) on his computer and claimed everything worked. When he was here on the 2nd visit, I had to explain what he was doing wrong. Even when talking to tier 2 support, I had to explain how the WAN address was not used for routing and more.
What made it more frustrating was I had done some work at 3 of this company's head ends a few months back and I could describe their setup to them and where I thought the problem was, yet those network guys wouldn't budge.
They need a lot more training and I pointed out some key points, in an email I sent.
-
@JKnott said in ipv6 disable on Pfsense:
Microsoft HomeGroup networking requires IPv6. It won't work without it.
You mean the thing that is not even a thing any more and was never actually a thing in the first place... That thing required IPv6 ;)
Only reason it did was MS said it did.. Sure didn't even transfer files from machine A to B via smb over IPv6, etc..
https://www.microsoft.com/en-us/windows/Windows-10-specifications#feature-deprecation
Home Group: HomeGroup is removed starting with the April 2018 Update, but you still have the ability to share printers, files, and folders. When you update to the April 2018 Update from an earlier version of Windows 10, you won’t see HomeGroup in File Explorer, the Control Panel, or Troubleshoot (Settings > Update & Security > Troubleshoot). Any printers, files, and folders you shared using HomeGroup will continue to be shared. Instead of using HomeGroup, you can now share printers, files, and folders by using features that are built into Windows 10: -
@johnpoz said in ipv6 disable on Pfsense:
You mean the thing that is not even a thing any more and was never actually a thing in the first place... That thing required IPv6 ;)
Yep, that's it and I knew it was deprecated. It used IPv6 link local addresses exclusively. I've never used it though. I run Linux here.
-
And that thing that was never a thing that only worked on the same L2.. That Shit ;) hehehe
I am all for moving to IPv6... But I am with derelict the real thing that is holding is back is ISP nonsense non really having a clue how to deploy it.
And I am so all for user wanting to disable something they are not ready to use.. Its a security problem if its not managed correctly, its a management nightmare if your not ready for it.. Its just more noise on the network if your not going to correctly set it up and configure it.
Its just another pain/failure point in the network, etc. etc.
So the correct thing to do until such time as your ready to embrace it and deploy it correctly is turn it freaking OFF.. Just like turn off any other protocol/service your not actively using..
Billy the user having it on not knowing wtf any of it means doesn't help the world migrate too it.. Now when billy goes to his isp and says I have to have it, and you better freaking give me a correctly deployed /48 and it doesn't freaking change every other week. Then maybe we can get some real progress..
The thing driving that is going to be resources that require IPv6... Where is the game that doesn't let you play unless you have IPv6? Why do console games not correctly use IPv6 so we are not having to deal with my Xbox is strict nat, etc. ;)
Where is the streaming service that says hey if you hit on IPv6 its $X cheaper a month or you can get access extra special library of media, etc.
My isp doesn't even have it, why - because their user base doesn't care and sure don't need it.. And those that do want to play/use it can just freaking tunnel it.. I just looked as of "Total Subscribers of 800,100 as of June 30, 2018" So while they are not comcast, they are not some ma pop isp either.
-
@johnpoz said in ipv6 disable on Pfsense:
And I am so all for user wanting to disable something they are not ready to use.. Its a security problem if its not managed correctly, its a management nightmare if your not ready for it.. Its just more noise on the network if your not going to correctly set it up and configure it.
What could be a problem is stuff like Teredo, which is on by default, yet most people don't know about it. Turning off IPv6 in pfSense would do nothing about that. As I mentioned above, that senior tech didn't know about it and it was causing him confusion, because he didn't know what he was looking at.
One of the points I made in that email was that Teredo be disabled on the computers techs use.
-
Its quite possible that his box is using teredo - sure.. I would hope if he is asking about turning off in pfsense he looked into turning it off in windows..
Simple enough to do with single reg entry or gpo, etc.
-
@JKnott said in ipv6 disable on Pfsense:
One of the points I made in that email was that Teredo be disabled on the computers techs use.
Or give the techs "real" computers to use.
-
I started using IPv6 long before my ISP offered it by using a tunnel from HE. It was quite a few years ago. (I'm a big fan of HE. If I could use them as my ISP, I would.) At the time I was using Sophos UTM as my router/firewall. One thing Sophos UTM does very well is provide usage reports. Using the monthly reports, it was easy to see how much of the traffic on my network was IPv4 or IPv6. Often, there were monthly reports where the IPv6 usage was well over 50%. In some cases, well over 75%. It depends on what the usage is.
While it's true that no one "needs" IPv6, many websites and services offer it and if you have it, access will be over IPv6. IPv6 is the preferred protocol for web browsers and for Office 365. Microsoft has invested heavily in IPv6 and it's preferred protocol for many Windows and Windows Server operating system features.
IMO, the more people that use IPv6, the more IPSs will get the message that it's the way to go. I can see no reason whatsoever for anyone to not enable IPv6 if they can. Even if I still had to implement a tunnel, I would do so.
-
Right - but if you're not ready to deal with it it breaks stuff. Best thing to do in that case is, often, to turn it off until you're ready to deal with it.
Using a workstation that thinks it has IPv6 but doesn't is not a good experience.
-
@Derelict said in ipv6 disable on Pfsense:
Right - but if you're not ready to deal with it it breaks stuff. Best thing to do in that case is, often, to turn it off until you're ready to deal with it.
Using a workstation that thinks it has IPv6 but doesn't is not a good experience.
Maybe this is a sweeping generality, but I would hope that anyone who can set up pfsense (or something similar) and set up a tunnel should be able to determine if IPv6 is working properly or not.
Also, I agree that using a computer that thinks it has IPv6, but it doesn't isn't a good experience. I've experienced exactly that, but the other way around. A company I worked for did not "support" IPv6. As far as I know, IPv6 was "disabled" by the IT department using a third party security solution installed on the computer. As long as the computer was on a network that didn't support IPV6, it worked fine. As soon as it was connected to a network that had working IPv6, it got an IPv6 address, and the Office 365 applications (Outlook, Skype, etc.) used it, because that's what they're supposed to do. Of course, since IPv6 on the computer was broken, these applications didn't work properly. Every time they tried to go to the network, the request over IPv6 had to time out, so they basically ground to a halt. The only way this could be "fixed" was by disabling IPv6 in the network adapter. None of this would have happened if IPv6 was just allowed to work out of the box, the way it's supposed to.
-
@bimmerdriver said in ipv6 disable on Pfsense:
started using IPv6 long before my ISP offered it by using a tunnel from HE.
I also used a 6in4 tunnel, but not from HE.
Or give the techs "real" computers to use.
He had one of those rugged Panasonic computers, but it was running Windows. I find Linux is much better for working on networking issues.
-
In the properties of the interfaces IPv6 set in Pfsense "None".
I repeat,
this is interested in turning off:
1.how to disable ipv6 on PfSense? for ifconfig not to give out a string inet6?
2. And DNS Resolver in Diagnostics\Tables\Table to Display not resolution ipv6 addresses?
for example:
178.18.231.121
178.18.231.122
2a02:26f0:d8:394::356e
2a02:26f0:d8:3a2::356ehow is it most likely done by means FreeBSD 11?
Through rc.conf, loader.conf, sysctl I did not find how to do it or in other ways. -
@lucas1 said in ipv6 disable on Pfsense:
1.how to disable ipv6 on PfSense? for ifconfig not to give out a string inet6?
Why do you persist in that, if you are told multiple times now, that it simply isn't necessary?! It doesn't matter if the interface still outputs an inet6 with a fe80 link local address - if the general switch is off OR you didn't configure any IPv6 rules on an interface, all IPv6 traffic is blocked and ignored!
- And DNS Resolver in Diagnostics\Tables\Table to Display not resolution ipv6 addresses?
DNS is supposed to answer your request with what is configured in the DNS zone. If the domain has AAAA entries, those are shown. If your client has no IPv6 capable interface, it won't use them. If you're not sure your clients behave correctly you can also set the advanced option to prefer IPv4 over IPv6 when answering.
Otherwise I don't see the problem - an interface configured without IPv6 doesn't talk over IPv6. -
Just turn off get dns from dhcp and those go away.. Out of the box pfsense should be resolving anyway - you have zero need for any dns from your isp be it ipv4 or ipv6.
-
A good answer is just a little nervous start. -> ?!
Yes, I agree about resolution DNS in Diagnostics\Tables\Table and so what IPv6 traffic is blocked
and option to prefer IPv4 .But you yourself wrote - an interface configured without IPv6 doesn't talk over IPv6.
This action (interface configured without IPv6) immediately performs and replaces the necessary settings System\Advanced\Networking.
And in general, why should I not learn how to disable IPv6 in FreeBSD and/or PfSense? -
@johnpoz said in ipv6 disable on Pfsense:
So only 21% of top 1000 sites are IPv6... Doesn't seem like majority protocol to me..
Ok, very true, if you "isolate" your view to public stats, taken from 'public' routers.
When I wrote "the main network protocol" is was more thinking about all network traffic, thus also what's being used locally, on our LAN's - device to device, etc.
Example : when my ISP (Orange, France) starts to deploy 'IPv6' a whopping 30 million users will suddenly throwing out IPv6 traffic if a point-to-point connection can be made. -
@Gertjan Additionally, the graph from Google clearly states "among Google users". Not everyone (including border routers, servers, etc.) is a Google user ;) So ~23% from Google ist definitly lower than reality.
-
Here is the thing I work in the space... I just came out of discussion with up and coming security/sdwan company... 42 Pops globally, etc.. Asked them about their ipv6 support, if on their roadmap, etc..
Nope ;) Their solution arch stated they kind of waiting to see if anyone actually uses it ;) hehehehe
You guys can all dream about it all you want... I work in the biz... While there might be traffic... Its not a major player at all unless you count mobile devices... Which really account for most of the traffic to be honest.. .Yeah when you have a bajillion phones kind of hard to give the IPv4 ;)
But once you move those all to IPv6 - the rest of its going to be slow to come to the plate..
-
@johnpoz said in ipv6 disable on Pfsense:
Its not a major player at all unless you count mobile devices... Which really account for most of the traffic to be honest.. .Yeah when you have a bajillion phones kind of hard to give the IPv4 ;)
My cell phone is IPv6 only. It uses 464XLAT to handle IPv4.
BTW, more fun with my Internet connection (same company). I just found out that the guys who are supposed to fix this closed the ticket, because I have my own router/firewall!!! This is after a senior tech came to my home with another modem, in gateway mode, and it failed too! He also went back to the head end and tried 3 other CMTS, in addition to the one I'm connected to. It failed only on mine. Yet these Bozos are once again trying to blame pfSense, after their own senior tech proved otherwise and tier 2 support verified, back in January, that the problem was on the CMTS.
-
@JKnott said in ipv6 disable on Pfsense:
@johnpoz said in ipv6 disable on Pfsense:
Its not a major player at all unless you count mobile devices... Which really account for most of the traffic to be honest.. .Yeah when you have a bajillion phones kind of hard to give the IPv4 ;)
My cell phone is IPv6 only. It uses 464XLAT to handle IPv4.
BTW, more fun with my Internet connection (same company). I just found out that the guys who are supposed to fix this closed the ticket, because I have my own router/firewall!!! This is after a senior tech came to my home with another modem, in gateway mode, and it failed too! He also went back to the head end and tried 3 other CMTS, in addition to the one I'm connected to. It failed only on mine. Yet these Bozos are once again trying to blame pfSense, after their own senior tech proved otherwise and tier 2 support verified, back in January, that the problem was on the CMTS.
Some of my colleagues in Germany have an ISP that provides IPv4 over IPv6.
Sorry to hear about your ISP grief. What a PITA. FWIW, Telus has no issues at all with pfSense.
-
@johnpoz said in ipv6 disable on Pfsense:
Here is the thing I work in the space... I just came out of discussion with up and coming security/sdwan company... 42 Pops globally, etc.. Asked them about their ipv6 support, if on their roadmap, etc..
Nope ;) Their solution arch stated they kind of waiting to see if anyone actually uses it ;) hehehehe
You guys can all dream about it all you want... I work in the biz... While there might be traffic... Its not a major player at all unless you count mobile devices... Which really account for most of the traffic to be honest.. .Yeah when you have a bajillion phones kind of hard to give the IPv4 ;)
But once you move those all to IPv6 - the rest of its going to be slow to come to the plate..
They are waiting to see if anyone actually uses it? Seriously? If that wasn't a tongue in cheek comment, it's a demonstration of ignorance, not intelligence. Microsoft, as much as everyone likes to bash them, has embraced IPv6 since the Windows 7 era. Unless someone goes out of their way to disable IPv6, every PC running Windows 7 or newer is IPv6 ready out of the box. AFAIK, all new mobile phones support it and have so for several years. Macs support it. Many websites support IPv6, in particular a lot of high usage websites. The only reason IPv6 isn't the overwhelming majority protocol is because IPSs have dragged their asses to support it.
-
@bimmerdriver said in ipv6 disable on Pfsense:
FWIW, Telus has no issues at all with pfSense.
Rogers also works fine with pfSense. The issue is with the CMTS I'm connected to. The people who are responsible for fixing this don't seem to want to as I have my own firewall/router, despite the fact that it also fails in gateway mode, affects a neighbour and even when the senior tech came with his own modem and it also failed. Despite all that and much more, including getting the Office of the President involved, they won't fix it. I even identified the system that failed for them and the senior tech proved it again, when he went to the head end and tested there. Yet they still cancelled the ticket, without making any attempt to fix the problem. Someone is due for some serious disciplinary action.
-
@JKnott Start sending your payments to whatever amounts to your public utilities commission. At least that's how it works here.
Though cable/internet is a little nebulous as to exactly where they fall legislatively and it seems to change depending on wind direction here.
-
@bimmerdriver said in ipv6 disable on Pfsense:
Microsoft, as much as everyone likes to bash them, has embraced IPv6 since the Windows 7
Actually, XP SP3 almost fully supported it. There was some minor thing that didn't work, but it didn't have much effect overall. I know it worked fine for me. My first Android phone, a Google Nexus 1 also supported IPv6 and my current Pixel 2 even has IPv6 tethering, with a full /64 prefix.
-
The option to disable AAAA DNS requests would be nice due to the amount of junk AAAA traffic that is generated otherwise. For example, I have an Icinga service running on a Debian system that looks up clients by DNS name. It issues AAAA lookups for the main domain (which fail because no AAAA record exists) and then appends the default search domain (which also fails). These generate multiple
info: query response was NXDOMAIN ANSWER
andinfo: query response was THROWAWAY
log entries. Neither my ISP nor the ISPs at many of the locations being monitored provide IPv6. I could save the DNS servers the wasted bandwidth and my log files the wasted entries if I could just turn off AAAA record resolution.Along those lines, it is considerate not to hammer DNS providers with queries for things that don't exist.
https://www.theregister.com/2021/02/04/chromium_dns_traffic_drop/
-
@sorenstoutner said in ipv6 disable on Pfsense:
I could just turn off AAAA record resolution.
That should be done on the client.. Which is pretty much impossible even when they don't have ipv6 enabled.. They will still do query for AAAA, pretty stupid if you ask me..
You can stop unbound fro resolving them - but where you should be able to turn it off is the client.
https://forum.netgate.com/topic/151745/bind-filter-aaaa
I thought there was even a newer thread - but that is the first one that came up searching..
There is a no-aaaa.py you can load right in the gui for specific domains, maybe the script could be edited for any AAAA, and I know pfblocker is doing something with AAAA as of recent updates.
If you run bind you can run the no AAAA
edit: Took me a minute to remember it.. But you can use this in the options box in unbound
server:
private-address: ::/0unbound still will try to resolve AAAA, but client will not get an answer. So not really the best solution.. Best solution is to get your client to stop asking for AAAA when they can not use them ;) Which if you know of way - happy to hear about it.. Not a fan of that at all - its just noise..
People think - oh its just a simple query, what could it hurt... Well your link to the chrome nonsense they finally fixed is perfect example of what it can hurt..
Related to noise - I am hoping I finally got my phone from constantly asking for stupid lb._dns-sd._udp.blahblah queries.. 100's of them, multiple different iterations.. Was like 2000 some queries a day... I knew it was some app on my phone - but sure which one.. Turned off all the background refresh on everything that I don't specific want.. And they stopped ;)
2000 in 24, not big deal.. But it would forward those to unbound.. I never looked but unbound prob trying to resolve them.. Just stupid noise - no need for it... If you want to look for something - sure ask, but if you don't get the answer you want.. Don't keep asking every 30 freaking seconds ;)
-
That should be done on the client.. Which is pretty much impossible even when they don't have ipv6 enabled.. They will still do query for AAAA, pretty stupid if you ask me..
I completely agree. However, it appears that there is no way to do this system-wide on modern Linux.
https://serverfault.com/questions/632665/how-to-disable-aaaa-lookups
The only way to accomplish this is to replace all instances of
gethostbyname()
withgetaddrinfo()
in the source code of every single program and then specify theai_family
isAF_INET
.Thanks for the link to the python script. it just seems like this is a lot of work for something where there should be a simple option at the client OS level, and, failing that, there should be a checkbox on the DNS Resolver page to turn it off. For example, if I don't have an IPv6 address on my client, it shouldn't make AAAA queries. And, if I have disabled IPv6 on pfSense, it should also not forward AAAA queries.
-
Preaching to the choir my brother - sing it ;)
Maybe you missed my edit ;) I hate freaking NOISE!! AAAA queries when you have no IPv6 are NOISE.. Just like freaking windows and their hunger to flood your network with SSDP, and LLMNR.. If I want that shit - let me turn it on ;)
The no-aaaa.py will stop unbound from doing the query.. But I have not looked into an edit to do it for all AAAA.. Might be simple - maybe take a look later. The simple way to just stop your client from getting an answer is with the private-address. But that prob won't stop him from asking and asking and asking.. Like freaking energizer bunnies - dude what about the 10k no answer you got, how about backing of your asking for it...
Dude now you got me started ;) hehehehe
edit: Yeah what they should work, since they got rid of 80Billion queries that were NOISE.. Now how about stopping asking for AAAA when you have no IPv6... I concur unbound shouldn't process them if it has no IPv6 address. Or a simple flag to just turn them off - the filter AAAA in bind does that I believe.
But still doesn't stop all the local noise to local NS when clients keep asking for shit they can not ever use..
-
@johnpoz said in ipv6 disable on Pfsense:
Might be simple - maybe take a look later.
I'll check this weekend. It's probably an easy fix.
https://unix.stackexchange.com/questions/444282/how-to-disable-ip6-lookups-in-unbound
@johnpoz said in ipv6 disable on Pfsense:
about stopping asking for AAAA
If a process on some LAN based client asks the local resolver, unbound, to look up a A, unbound will look up the A. Same thing for MX, or AAAA.
All this over IPv4.
It might be wise (but probably impossible) to instruct the software we use on our devices to stop asking for AAAA. After all, why asking for a AAAA if IPv6isn't enabled on the device ? or the network doesn't offer IPv6 capabilities ?
Unbound is just doing what it's asked to do, amplifying the noise.edit : what the heck : this might be easy :
I wrote a new no-aaaa-v2.py version, by only pressing on the delete key.
This is it :
def init(id, cfg): return True def deinit(id): return True def inform_super(id, qstate, superqstate, qdata): return True def operate(id, event, qstate, qdata): if event == MODULE_EVENT_NEW or event == MODULE_EVENT_PASS: if qstate.qinfo.qtype != RR_TYPE_AAAA: qstate.ext_state[id] = MODULE_WAIT_MODULE return True msg = DNSMessage(qstate.qinfo.qname_str, RR_TYPE_A, RR_CLASS_IN, PKT_QR | PKT_RA | PKT_AA) if not msg.set_return_msg(qstate): qstate.ext_state[id] = MODULE_ERROR return True qstate.return_msg.rep.security = 2 qstate.return_rcode = RCODE_NOERROR qstate.ext_state[id] = MODULE_FINISHED log_info("no-aaaa: blocking AAAA request for %s" % qstate.qinfo.qname_str) return True if event == MODULE_EVENT_MODDONE: qstate.ext_state[id] = MODULE_FINISHED return True qstate.ext_state[id] = MODULE_ERROR return True log_info("pythonmod: no-aaaa-v2.py script loaded")
World's smallest py module for unbound.
Copy it here : /var/unbound/no-aaaa-v2.py
Select it under the resolver settings :
And apply the new settings.
Check that your resolver logs are filled withMy network is IPv6 capable, so hundreds of logs lines per minute were shown.
New noise ^^ - to remove all these log lines, remove :log_info("no-aaaa: blocking AAAA request for %s" % qstate.qinfo.qname_str)
from the script.
Take note :
When you use no-aaaa-v2.py, you can't use the pfBlockerng-devel py module .
I tested this for 5 minutes or so, and fully confined that there are no bugs, as I only removed lines. I didn't add something. ;)