Prevent unbound resolving IPv6 for one domain

mrsunfire

@bruor I did this but the module doesn't show up to select. Do I have to reboot the machine?

Gertjan

No reboot needed.

Place the file in the /var/unbound directory.
chmod it to owner unbound:unbound (this might be optional)
Now, visit the Resolver GUI.

You should be able to choose :

Note : the file name doesn't mather. It should have a dot py extensuion, and it must be a valid Python file.

The python file itself needs to be edited : you have to enter the (sub) domain names that need to be filtered.

mrsunfire

I did this all but not chmod it. I can't select it from the modules menue.

How to chmod it? Maybe that's the problem?

Gertjan

Oops.
Not "chmod" as the world/group/user right are probably just fine with their default values.
" -rw-r--r-- ".

The owner should (?) be changed : keeping it "root" isn't a good idea anyway.

So, it will be chown.

Use console, or far better (easier) use SSH, and when you entered, seeing the menu, chose option 8.

Then :

[2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: cd /var/unbound/
[2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/var/unbound: ls -al netflix- no-aaaa.py
-rw-r--r--  1 unbound  unbound  1582 May 27 18:14 netflix-no-aaaa.py
[2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/var/unbound: chown unbound:unbound netflix-no-aaaa.py


Note : mine was already "unbound  unbound".

edit : do yourself a huge favour.
Never ever use a GUI for these manipulations.
Some OS'es, like - exemple - Windows, with decades of programming and thousands of engineers might have pulled it of : you can use Explorer to navigate and interact with the file system .... (and still ..... serious intercations need the command line).
Use the native command line access.
It's a live saver.

mrsunfire

OK I did everything again and now it works! Didn't need to chmod anything.

Can I just enter for example ".google.com" so that everything with that domain is not resolved in AAAA? So maps.google.com and so on? Or do I need to enter every possible domain?

Gertjan

@mrsunfire said in Prevent unbound resolving IPv6 for one domain:

maps.google.com and so on?

That is :

.maps.google.com

A sub domain is not the same as a domain name, so yes, ".google.com" won't include the sub domains.

mrsunfire

Ok thanks so far!

bruor

@Gertjan On my install, if I enter subdomains like you have in the domains list they do not get filtered out. I have to enter them with a trailing "." character for them to be evaluated by the script.

domains = [
    "smtp-relay.gmail.com",
    "youtube.com.",
    "googlevideo.com.",
    "ytimg.com.",
#    "netflix.com.",
#    "netflix.net.",
#    "nflxext.com.",
#    "nflximg.net.",
#    "nflxvideo.net.",
#    "nflxso.net.",
]

Non-authoritative answer:
Name:    smtp-relay.gmail.com
Addresses:  2607:f8b0:4001:c05::1c
          209.85.144.28

However, with the trailing dot on each line, the listed name, and all subdomains appear to be filtered as expected.

domains = [
    "smtp-relay.gmail.com.",
    "youtube.com.",
    "googlevideo.com.",
    "ytimg.com.",
#    "netflix.com.",
#    "netflix.net.",
#    "nflxext.com.",
#    "nflximg.net.",
#    "nflxvideo.net.",
#    "nflxso.net.",
]

Non-authoritative answer:
Name:    smtp-relay.gmail.com
Address:  209.85.144.28

Non-authoritative answer:
Name:    i.ytimg.com
Address:  172.217.164.246

bruor

@mrsunfire If you make sure that you don't have the "register DHCP leases in the DNS resolver" option enabled you'll experience no issues :)

mrsunfire

I don‘t have this enabled and it works like a charm. :)