Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    BIND filter-aaaa

    Scheduled Pinned Locked Moved DHCP and DNS
    39 Posts 10 Posters 7.3k Views 9 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      AberDino
      last edited by AberDino

      Yesterday, I upgraded pfSense to 2.4.5 (without issues I might add) and I updated all my packages, including BIND. The BIND version is now 9.14_2.

      I am using BIND purely to filter out IPv6 addresses for certain domains (domain overrides set up on DNS resolver), because I'm using a HE IPv6 tunnel and certain services don't work across this tunnel, as reported elsewhere. I used the "filter-aaaa-on-v4 yes" option for this, in the BIND custom options box. This used to work well, but not any more.

      From what I can tell, this functionality used to be implemented natively, but now needs a plugin "filter-aaaa.so". So, I removed the "filter-aaaa-on-v4 yes" custom option, and in the global settings box I added:

      plugin query "/usr/local/lib/named/filter-aaaa.so" {
              filter-aaaa-on-v4 yes;
      };
      

      I have verified that the "filter-aaaa.so" file is in the correct location, and the entries appear properly in "named.conf". However, BIND is not liking it for some reason:

      failed to dlopen() plugin '/usr/local/lib/named/filter-aaaa.so': Cannot open "/usr/local/lib/named/filter-aaaa.so"
      /usr/local/lib/named/filter-aaaa.so: plugin configuration failed: failure
      

      Any thoughts on how I could get this working again?

      Thanks in advance.

      geekmugG 1 Reply Last reply Reply Quote 0
      • bmeeksB Offline
        bmeeks
        last edited by bmeeks

        Just a wild guess on my part, but maybe check file permissions. bind may well not be running as root, and thus the user bind is running under might need more permissions to load and execute that library.

        1 Reply Last reply Reply Quote 1
        • GertjanG Offline
          Gertjan
          last edited by Gertjan

          @AberDino said in BIND filter-aaaa:

          /usr/local/lib/named/filter-aaaa.so

          I don't use bind myself - not for pfSense, that is, but have one question back : bind (named) isn't chrooted on some location ?

          edit : @bmeeks is right :

          -rw-r--r--   1 root  wheel  22822 Jan 13 19:29 filter-aaaa.so
          

          The owner and group might need a "chown" ^^

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator
            last edited by

            So you running bind along with unbound? You can do filtering of AAAA just in unbound, no reason to run bind just for this feature.. This is from 3 years ago..

            https://forum.netgate.com/topic/118566/netflix-and-he-net-tunnel-fixed-using-unbound-python-module

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07.1 | Lab VMs 2.8, 25.07.1

            A 1 Reply Last reply Reply Quote 0
            • A Offline
              AberDino @johnpoz
              last edited by

              @johnpoz said in BIND filter-aaaa:

              So you running bind along with unbound? You can do filtering of AAAA just in unbound, no reason to run bind just for this feature.. This is from 3 years ago.

              Correct, and happy to give AAAA filtering in unbound a go. I had a look at the article and it seems things have moved on even further in the sense that it is now possible to select "Enable Python Module" on the General Settings page for the DNS Resolver. I presume that takes care of the first step in the article, i.e. enabling the python module in unbound.conf?

              I don't have any experience with python, and I'm getting stuck after that. After enabling the python module, two additional options appear; python module order (pre-validator or post-validator) and python module script. What should I select for the first option, and where do I put my "py" file so I can select it from the drop-down?

              Thanks for your help!

              1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator
                last edited by

                Let me take a look see, haven't played with this much after that thread 3 years ago ;) hehehe

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 25.07.1 | Lab VMs 2.8, 25.07.1

                A 1 Reply Last reply Reply Quote 0
                • A Offline
                  AberDino @johnpoz
                  last edited by

                  @johnpoz said in BIND filter-aaaa:

                  Let me take a look see, haven't played with this much after that thread 3 years ago ;) hehehe

                  Thank you ☺ . Perhaps this link is of some use.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ Offline
                    johnpoz LAYER 8 Global Moderator
                    last edited by johnpoz

                    Are you on 2.4.5?

                    This works fine...

                    I copped the script to /var/unbound.. Unbound now sees it.

                    sees.jpg

                    [2.4.5-RELEASE][admin@sg4860.local.lan]/var/unbound: dig AAAA netflix.com
                    
                    ; <<>> DiG 9.14.9 <<>> AAAA netflix.com
                    ;; global options: +cmd
                    ;; Got answer:
                    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23617
                    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
                    
                    ;; OPT PSEUDOSECTION:
                    ; EDNS: version: 0, flags:; udp: 4096
                    ;; QUESTION SECTION:
                    ;netflix.com.                   IN      AAAA
                    
                    ;; Query time: 0 msec
                    ;; SERVER: 127.0.0.1#53(127.0.0.1)
                    ;; WHEN: Sat Mar 28 07:53:07 CDT 2020
                    ;; MSG SIZE  rcvd: 40
                    
                    

                    If I turn that off... Then netflix resolves

                    disabled.jpg

                    [2.4.5-RELEASE][admin@sg4860.local.lan]/var/unbound: dig AAAA netflix.com
                    
                    ; <<>> DiG 9.14.9 <<>> AAAA netflix.com
                    ;; global options: +cmd
                    ;; Got answer:
                    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19719
                    ;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1
                    
                    ;; OPT PSEUDOSECTION:
                    ; EDNS: version: 0, flags:; udp: 4096
                    ;; QUESTION SECTION:
                    ;netflix.com.                   IN      AAAA
                    
                    ;; ANSWER SECTION:
                    netflix.com.            3600    IN      AAAA    2406:da00:ff00::6b17:de40
                    netflix.com.            3600    IN      AAAA    2406:da00:ff00::23a8:b7b1
                    netflix.com.            3600    IN      AAAA    2406:da00:ff00::34ce:7a8a
                    netflix.com.            3600    IN      AAAA    2406:da00:ff00::3657:bca9
                    netflix.com.            3600    IN      AAAA    2406:da00:ff00::36a4:fed8
                    netflix.com.            3600    IN      AAAA    2406:da00:ff00::3698:ef03
                    netflix.com.            3600    IN      AAAA    2406:da00:ff00::36a5:9d7b
                    netflix.com.            3600    IN      AAAA    2406:da00:ff00::3436:9ae2
                    
                    ;; Query time: 198 msec
                    ;; SERVER: 127.0.0.1#53(127.0.0.1)
                    ;; WHEN: Sat Mar 28 07:55:58 CDT 2020
                    ;; MSG SIZE  rcvd: 264
                    
                    [2.4.5-RELEASE][admin@sg4860.local.lan]/var/unbound: 
                    

                    Grab that script that is linked too, put in a file called no-aaaa.py and copy that file to your /var/unbound dir

                    copy.jpg

                    edit: btw - there are couple of ways to skin this cat if you don't care about just blocking this specific device from all IPv6 or nobody from resolving IPv6 for netflix... You can use simple private domain entry..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 25.07.1 | Lab VMs 2.8, 25.07.1

                    A GertjanG A 3 Replies Last reply Reply Quote 1
                    • A Offline
                      AberDino @johnpoz
                      last edited by

                      @johnpoz said in BIND filter-aaaa:

                      I copped the script to /var/unbound.

                      That's the bit I was missing. All working beautifully now, thank you!

                      1 Reply Last reply Reply Quote 0
                      • GertjanG Offline
                        Gertjan @johnpoz
                        last edited by Gertjan

                        Same thing here : completely forgot about that one !
                        But, as I'm using tunnelbroker.he.net also, and need to block some - not only Netflix, IPv6 AAAA"s.
                        Example : when I visit my ISP main web site using AAAA, it's often just doesn't work well.

                        @johnpoz said in BIND filter-aaaa:

                        Grab that script that is linked too, put in a file called no-aaaa.py and copy that file to your /var/unbound dir

                        I still think it's needed to copy the python script over to the /var/unbound and /var/unbound/var/unbound - the lather has to be created on start, and has to have the right owner, unbound.

                        As of today - using 2.4.5 - it's still working :

                        5232e27c-c053-4052-a5cc-ee602d6e9e82-image.png

                        Btw I'm using 'ln' to link copy to populate /var/unbound/var/unbound from the copy in /var/unbound

                        #!/bin/sh
                        
                        # https://forum.pfsense.org/index.php?topic=134352.msg737158#msg737158
                        echo "Inserting netflix-no-aaaa.py ...."
                        
                        #make sure the directory for the python libraries is in the chroot
                        mkdir -p /var/unbound/usr/local/lib/python2.7
                        
                        #link the actual python library directory to the chroot's directory
                        mount -t nullfs /usr/local/lib/python2.7 /var/unbound/usr/local/lib/python2.7
                        
                        #copy the python script to the /var/unbound directory so 
                        #unbound-checkconf can find it
                        rm -f /var/unbound/netflix-no-aaaa.py
                        cp /root/netflix-no-aaaa.py /var/unbound/netflix-no-aaaa.py
                        
                        #make sure unbound can read it
                        chown unbound:unbound /var/unbound/netflix-no-aaaa.py
                        
                        #create a /var/unbound directory in the /var/unbound directory so that 
                        #unbound can find the script
                        mkdir -p /var/unbound/var/unbound
                        
                        #copy the python module into the /var/unbound/var/unbound directory under the chroot #directory
                        rm -f /var/unbound/var/unbound/netflix-no-aaaa.py
                        ln -s /var/unbound/netflix-no-aaaa.py /var/unbound/var/unbound/netflix-no-aaaa.py
                        
                        echo "Done ...."
                        

                        The thing is set up when pfSense starts using an earlyshellcmd command :

                        a95a3038-1192-4a15-ad1c-25a01dd79a6f-image.png

                        /root/unbound-p.sh is the script shown above.
                        It's placed in /root, together with the /root/netflix-no-aaaa.py script.

                        No "help me" PM's please. Use the forum, the community will thank you.
                        Edit : and where are the logs ??

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ Offline
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          It was working without that..

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 25.07.1 | Lab VMs 2.8, 25.07.1

                          1 Reply Last reply Reply Quote 0
                          • GertjanG Offline
                            Gertjan
                            last edited by

                            Do you mean that putting in place the "netflix-no-aaaa.py" is enough ?

                            No more coping the script to /var/unbound/var/unbound/
                            and no more mounting of the /usr/local/lib/python2.7 dir ?

                            No "help me" PM's please. Use the forum, the community will thank you.
                            Edit : and where are the logs ??

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ Offline
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              That is all I did - then you see it in the new 2.4.5 gui and bobs your uncle.

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 25.07.1 | Lab VMs 2.8, 25.07.1

                              1 Reply Last reply Reply Quote 0
                              • GertjanG Offline
                                Gertjan
                                last edited by

                                Ok, nice. That cleans up things.

                                Will include a "Note" with the source of that python file, to complete my "in case of total rebuild" procedure.

                                No "help me" PM's please. Use the forum, the community will thank you.
                                Edit : and where are the logs ??

                                1 Reply Last reply Reply Quote 0
                                • geekmugG Offline
                                  geekmug @AberDino
                                  last edited by geekmug

                                  @AberDino said in BIND filter-aaaa:

                                  Any thoughts on how I could get this working again?

                                  @Gertjan said in BIND filter-aaaa:

                                  I don't use bind myself - not for pfSense, that is, but have one question back : bind (named) isn't chrooted on some location ?

                                  I just upgraded and ran into this myself. Yes, pfSense uses /cf/named as the chroot. The issue is that /usr/local/lib/named is a new directory that holds the plugins that needs to get copied into /cf/named/usr/local/lib/named. I've pushed up a pull request to fix this:

                                  https://github.com/pfsense/FreeBSD-ports/pull/816

                                  Until the pull request gets merged and an updated package is published, you could patch the bind.inc locally, and then run /etc/rc.packages bind post-install to regenerate the chroot.

                                  1 Reply Last reply Reply Quote 1
                                  • B Offline
                                    bruor
                                    last edited by

                                    It would be fantastic if the filtering of AAAA could be added as a native script whose list of domains to filter could be edited in the interface. This works great but I worry about having to recreate this if I ever have to restore from a backup in a few years.

                                    1 Reply Last reply Reply Quote 0
                                    • A Offline
                                      AndrewZ @johnpoz
                                      last edited by

                                      @johnpoz said in BIND filter-aaaa:

                                      Grab that script that is linked too, put in a file called no-aaaa.py and copy that file to your /var/unbound dir

                                      Upgraded to 2.4.5_1 and noticed that this file [that was there for quite some time] - no-aaaa.py - is gone. Copied it over, rebooted and noticed that the file is gone again. Finally, realized that /var/ is mounted in RAM. So, where this file should be stored?

                                      1 Reply Last reply Reply Quote 0
                                      • jimpJ Offline
                                        jimp Rebel Alliance Developer Netgate
                                        last edited by

                                        Would be safe in /root or /conf or a subdirectory of those.

                                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                        Need help fast? Netgate Global Support!

                                        Do not Chat/PM for help!

                                        A 1 Reply Last reply Reply Quote 0
                                        • johnpozJ Offline
                                          johnpoz LAYER 8 Global Moderator
                                          last edited by

                                          Not sure what your taking about on 2.4.5p1 and file is right where it was in /var/unbound

                                          2.4.5-RELEASE][admin@sg4860.local.lan]/root: cd /var/unbound
                                          [2.4.5-RELEASE][admin@sg4860.local.lan]/var/unbound: ls -la
                                          total 84
                                          drwxr-xr-x   5 unbound  unbound  1024 Jun 16 05:37 .
                                          drwxr-xr-x  31 root     wheel     512 Jun  2 16:54 ..
                                          -rw-r--r--   1 root     unbound   185 Jun 14 07:14 access_lists.conf
                                          drwxr-xr-x   2 unbound  unbound   512 Jun  2 16:54 conf.d
                                          drwxr-xr-x   2 root     unbound   512 Mar 28 07:52 dev
                                          -rw-r--r--   1 root     unbound   698 Jun 14 07:14 dhcpleases_entries.conf
                                          -rw-r--r--   1 root     unbound    65 Jun 14 07:14 domainoverrides.conf
                                          -rw-r--r--   1 root     unbound  6838 Jun 14 07:14 host_entries.conf
                                          -rw-r--r--   1 root     unbound  1404 Mar 28 07:51 no-aaaa.py
                                          -rw-r--r--   1 root     unbound     0 Jun 16 15:00 pfb_dnsbl.conf
                                          -rw-r--r--   1 root     unbound   300 Sep 17  2017 remotecontrol.conf
                                          -rw-r--r--   1 unbound  unbound   758 Jun 16 05:37 root.key
                                          -rw-r--r--   1 unbound  unbound   759 Dec  4  2019 root.key.67289-2
                                          -rw-r--r--   1 root     unbound  3369 Feb 28  2019 sslcert.crt
                                          -rw-------   1 root     unbound     0 Feb 28  2019 sslcert.key
                                          -rw-r--r--   1 root     unbound  5297 Jun 14 07:14 unbound.conf
                                          -rw-r-----   1 unbound  unbound  2455 Sep 17  2017 unbound_control.key
                                          -rw-r-----   1 unbound  unbound  1330 Sep 17  2017 unbound_control.pem
                                          -rw-r-----   1 unbound  unbound  2459 Sep 17  2017 unbound_server.key
                                          -rw-r-----   1 unbound  unbound  1318 Sep 17  2017 unbound_server.pem
                                          drwxr-xr-x   3 root     unbound   512 Mar 28 07:52 usr
                                          [2.4.5-RELEASE][admin@sg4860.local.lan]/var/unbound: cat no-aaaa.py 
                                          def init(id, cfg):
                                              return True
                                          
                                          def deinit(id):
                                              return True
                                          
                                          def inform_super(id, qstate, superqstate, qdata):
                                              return True
                                          
                                          domains = [
                                              "netflix.com.",
                                              "nflxso.net.",
                                          ]
                                          
                                          def operate(id, event, qstate, qdata):
                                              if event == MODULE_EVENT_NEW or event == MODULE_EVENT_PASS:
                                                  if qstate.qinfo.qtype != RR_TYPE_AAAA:
                                                      qstate.ext_state[id] = MODULE_WAIT_MODULE
                                                      return True
                                          
                                                  for domain in domains:
                                                      if qstate.qinfo.qname_str == domain or qstate.qinfo.qname_str.endswith("." + domain):
                                                          msg = DNSMessage(qstate.qinfo.qname_str, RR_TYPE_A, RR_CLASS_IN, PKT_QR | PKT_RA | PKT_AA)
                                                          if not msg.set_return_msg(qstate):
                                                              qstate.ext_state[id] = MODULE_ERROR
                                                              return True
                                                          # We don't need validation, result is valid
                                                          qstate.return_msg.rep.security = 2
                                                          qstate.return_rcode = RCODE_NOERROR
                                                          qstate.ext_state[id] = MODULE_FINISHED
                                                          log_info("no-aaaa: blocking AAAA request for %s" % qstate.qinfo.qname_str)
                                                          return True
                                          
                                                  qstate.ext_state[id] = MODULE_WAIT_MODULE
                                                  return True
                                          
                                              if event == MODULE_EVENT_MODDONE:
                                                  qstate.ext_state[id] = MODULE_FINISHED
                                                  return True
                                          
                                          

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 25.07.1 | Lab VMs 2.8, 25.07.1

                                          A 1 Reply Last reply Reply Quote 0
                                          • A Offline
                                            AndrewZ @johnpoz
                                            last edited by AndrewZ

                                            I see something different on my system (apu2)...
                                            Then I realized that I have Use memory file system for /tmp and /var set. Now all is clear. It looks like I never rebooted my router after the previous upgrade!

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.