BIND filter-aaaa
-
@aberdino might be good to post this over on the announcement thread, a lot of minor changes were being patched by the dev fairly quickly as they were reported over there.
https://forum.netgate.com/topic/158592/pfblockerng-devel-v3-0-0-no-longer-bound-by-unbound
-
@aberdino said in BIND filter-aaaa:
For example, I have entered office.com in the list, and resolution of office.com returns only an IPv4 address, but outlook.ms-acdc.office.com returns both IPv4 and IPv6 addresses. The previous no-aaaa script had "office.com." as the domain, but if I include the last "." in pfBlockerNG-devel it doesn't work at all. Effectively I want IPv4 resolution only for "*.office.com". I presume that is possible in pfBlockerNG-devel?
The upcoming version of pfBlocker, the one after 3.0.0_7 (not yet released, it's upcoming) will do this correctly :
Consider :
( do a Force Update after saving these settings ! - flush local DNS caches)
[2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: host papy-team.org papy-team.org has address 87.98.136.44 papy-team.org mail is handled by 20 mail2.papy-team.org. papy-team.org mail is handled by 10 mail.papy-team.org. [2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: host www.papy-team.org www.papy-team.org has address 87.98.136.44 [2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: host pop.papy-team.org pop.papy-team.org has address 87.98.136.44
So, the domain itself, and all sub domains will be A only.
But - in the case of "www.test-domaine.fr" :
[2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: host test-domaine.fr test-domaine.fr has address 5.196.43.182 test-domaine.fr has IPv6 address 2001:41d0:2:927b::15 test-domaine.fr mail is handled by 20 mail2.test-domaine.fr. test-domaine.fr mail is handled by 10 mail.test-domaine.fr. test-domaine.fr mail is handled by 30 mail.test-domaine.fr. [2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: host www.test-domaine.fr www.test-domaine.fr has address 5.196.43.182 www.test-domaine.fr has IPv6 address 2001:41d0:2:927b::15
Strange !!
Only the sub domain www.test-domaine.fr should be "A" only (no AAAA). The domain itself will return an AAAA (that's ok), but the sub domain listed in the Python no AAAA List "www.test-domaine.fr" - see above - also returns an AAAA !
(note : I'm using the upcoming 0.0._8 version here, not yet released)I wonder :
.papy-team.org
should block AAAA for the domain and all possible sub (and sub sub etc) domains ,
and without the starting dot, likepapy-team.org
should block AAAA for the domain - and NOT for the sub domains ?
Remark
- don't know if such a feature is needed.
- The syntax with the starting dot should be inversed ? Like ".papy-team.org" is blocking this domain and all sub domains, and without the starting dot, like "papy-team.org" only that domain without doing the wildcard thing ?
-
@gertjan your suggestion sounds best to me. Make it work exactly like the dnsbl whitelist function, leading ". " for all subdomains, otherwise a single record.
-
@bruor
Agreed, and thank you both. -
-
-
@aberdino said in BIND filter-aaaa:
@Gertjan and @bruor
I might have spoken too soon, as it's not working now, I'll do some further digging...Just to close this issue, I'm now on pfSense 2.5.0 with pfBlockerNG-devel 3.0.0_10 and the wildcard AAAA blocking works great. Thank you guys
-
-
I wanted to add the no-aaaa script again to unbound when I stumbled on this thread, I'm running pfsense plus 22.05 and the latest pfblocker-ng 3.1.0_7. I cannot find the no-aaaa script as a setting in pfblocker-ng as shown by @Gertjan here.
Where can I find these settings foor no-aaaa?
-
@nan0tech put pfblocker-ng in python mode under the DNSBL tab, "no AAAA" should be available in the list (has a lightning bolt next to it)
-