Prevent unbound resolving IPv6 for one domain
-
@bruor said in Prevent unbound resolving IPv6 for one domain:
The issue I'm seeing through is that since 2.4.5, when enabled, unbound will eat all memory until the firewall locks up.
I rebooted last Tuesday - one week.
I'm using that no-aaaa.py script for some .... two years now ?
Never saw a issue related with memory (or more precise unbound, or unbound using a script).
The script loads and works fine :May 28 08:16:53 unbound 18491:0 info: pythonmod: aaaa script loadedCan you develop ?
-
@bruor I did this but the module doesn't show up to select. Do I have to reboot the machine?
-
No reboot needed.
Place the file in the /var/unbound directory.
chmod it to owner unbound:unbound (this might be optional)
Now, visit the Resolver GUI.You should be able to choose :
Note : the file name doesn't mather. It should have a dot py extensuion, and it must be a valid Python file.
The python file itself needs to be edited : you have to enter the (sub) domain names that need to be filtered.
-
I did this all but not chmod it. I can't select it from the modules menue.
How to chmod it? Maybe that's the problem?
-
Oops.
Not "chmod" as the world/group/user right are probably just fine with their default values.
" -rw-r--r-- ".The owner should (?) be changed : keeping it "root" isn't a good idea anyway.
So, it will be chown.
Use console, or far better (easier) use SSH, and when you entered, seeing the menu, chose option 8.
Then :
[2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: cd /var/unbound/ [2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/var/unbound: ls -al netflix- no-aaaa.py -rw-r--r-- 1 unbound unbound 1582 May 27 18:14 netflix-no-aaaa.py [2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/var/unbound: chown unbound:unbound netflix-no-aaaa.py Note : mine was already "unbound unbound".edit : do yourself a huge favour.
Never ever use a GUI for these manipulations.
Some OS'es, like - exemple - Windows, with decades of programming and thousands of engineers might have pulled it of : you can use Explorer to navigate and interact with the file system .... (and still ..... serious intercations need the command line).
Use the native command line access.
It's a live saver. -
OK I did everything again and now it works! Didn't need to chmod anything.
Can I just enter for example ".google.com" so that everything with that domain is not resolved in AAAA? So maps.google.com and so on? Or do I need to enter every possible domain?
-
@mrsunfire said in Prevent unbound resolving IPv6 for one domain:
maps.google.com and so on?
That is :
.maps.google.comA sub domain is not the same as a domain name, so yes, ".google.com" won't include the sub domains.
-
Ok thanks so far!
-
@Gertjan On my install, if I enter subdomains like you have in the domains list they do not get filtered out. I have to enter them with a trailing "." character for them to be evaluated by the script.
domains = [ "smtp-relay.gmail.com", "youtube.com.", "googlevideo.com.", "ytimg.com.", # "netflix.com.", # "netflix.net.", # "nflxext.com.", # "nflximg.net.", # "nflxvideo.net.", # "nflxso.net.", ]Non-authoritative answer: Name: smtp-relay.gmail.com Addresses: 2607:f8b0:4001:c05::1c 209.85.144.28However, with the trailing dot on each line, the listed name, and all subdomains appear to be filtered as expected.
domains = [ "smtp-relay.gmail.com.", "youtube.com.", "googlevideo.com.", "ytimg.com.", # "netflix.com.", # "netflix.net.", # "nflxext.com.", # "nflximg.net.", # "nflxvideo.net.", # "nflxso.net.", ]Non-authoritative answer: Name: smtp-relay.gmail.com Address: 209.85.144.28 Non-authoritative answer: Name: i.ytimg.com Address: 172.217.164.246 -
@mrsunfire If you make sure that you don't have the "register DHCP leases in the DNS resolver" option enabled you'll experience no issues :)
-
I don‘t have this enabled and it works like a charm. :)
