Prevent unbound resolving IPv6 for one domain

mrsunfire · Jun 1, 2020, 9:20 PM

Hi guys!

Is it possible to prevent unbound resolving an AAAA record for a specific domain? I wish do get only the IPv4 adress for that one because it's easier to handle it forcing it to use an IPv4 only gateway.

Thanks.

bruor · Jun 2, 2020, 5:22 AM

Yes, but I think there's a bug in it presently, I was just coming to the forums to report it.

There's an unbound python module called no-aaaa.py on github that someone originally made for netflix but it works nicely for other domains. You can edit and upload it to the /var/unbound folder, and it'll show up in the list of modules you can activate. The issue I'm seeing through is that since 2.4.5, when enabled, unbound will eat all memory until the firewall locks up.

mrsunfire · Jun 2, 2020, 3:55 AM

Ok if that‘s true this is no option for me. If I do a host override and enter fe80::1 does it then resolve only the IPv4 record?

Gertjan · Jun 2, 2020, 5:23 AM

@bruor said in Prevent unbound resolving IPv6 for one domain:

The issue I'm seeing through is that since 2.4.5, when enabled, unbound will eat all memory until the firewall locks up.

I rebooted last Tuesday - one week.
I'm using that no-aaaa.py script for some .... two years now ?
Never saw a issue related with memory (or more precise unbound, or unbound using a script).
The script loads and works fine :

May 28 08:16:53 	unbound 	18491:0 	info: pythonmod: aaaa script loaded

Can you develop ?

mrsunfire · Jun 2, 2020, 6:19 AM

@bruor I did this but the module doesn't show up to select. Do I have to reboot the machine?

Gertjan · Jun 2, 2020, 6:27 AM

No reboot needed.

Place the file in the /var/unbound directory.
chmod it to owner unbound:unbound (this might be optional)
Now, visit the Resolver GUI.

You should be able to choose :

Note : the file name doesn't mather. It should have a dot py extensuion, and it must be a valid Python file.

The python file itself needs to be edited : you have to enter the (sub) domain names that need to be filtered.

mrsunfire · Jun 2, 2020, 6:33 AM

I did this all but not chmod it. I can't select it from the modules menue.

How to chmod it? Maybe that's the problem?

Gertjan · Jun 2, 2020, 6:44 AM

Oops.
Not "chmod" as the world/group/user right are probably just fine with their default values.
" -rw-r--r-- ".

The owner should (?) be changed : keeping it "root" isn't a good idea anyway.

So, it will be chown.

Use console, or far better (easier) use SSH, and when you entered, seeing the menu, chose option 8.

Then :

[2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: cd /var/unbound/
[2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/var/unbound: ls -al netflix- no-aaaa.py
-rw-r--r--  1 unbound  unbound  1582 May 27 18:14 netflix-no-aaaa.py
[2.4.5-RELEASE][admin@pfsense.brit-hotel-fumel.net]/var/unbound: chown unbound:unbound netflix-no-aaaa.py


Note : mine was already "unbound  unbound".

edit : do yourself a huge favour.
Never ever use a GUI for these manipulations.
Some OS'es, like - exemple - Windows, with decades of programming and thousands of engineers might have pulled it of : you can use Explorer to navigate and interact with the file system .... (and still ..... serious intercations need the command line).
Use the native command line access.
It's a live saver.

mrsunfire · Jun 2, 2020, 7:53 AM

OK I did everything again and now it works! Didn't need to chmod anything.

Can I just enter for example ".google.com" so that everything with that domain is not resolved in AAAA? So maps.google.com and so on? Or do I need to enter every possible domain?

Gertjan · Jun 2, 2020, 8:05 AM

@mrsunfire said in Prevent unbound resolving IPv6 for one domain:

maps.google.com and so on?

That is :

.maps.google.com

A sub domain is not the same as a domain name, so yes, ".google.com" won't include the sub domains.

mrsunfire · Jun 2, 2020, 8:34 AM

Ok thanks so far!

bruor · Jun 2, 2020, 3:31 PM

@Gertjan On my install, if I enter subdomains like you have in the domains list they do not get filtered out. I have to enter them with a trailing "." character for them to be evaluated by the script.

domains = [
    "smtp-relay.gmail.com",
    "youtube.com.",
    "googlevideo.com.",
    "ytimg.com.",
#    "netflix.com.",
#    "netflix.net.",
#    "nflxext.com.",
#    "nflximg.net.",
#    "nflxvideo.net.",
#    "nflxso.net.",
]

Non-authoritative answer:
Name:    smtp-relay.gmail.com
Addresses:  2607:f8b0:4001:c05::1c
          209.85.144.28

However, with the trailing dot on each line, the listed name, and all subdomains appear to be filtered as expected.

domains = [
    "smtp-relay.gmail.com.",
    "youtube.com.",
    "googlevideo.com.",
    "ytimg.com.",
#    "netflix.com.",
#    "netflix.net.",
#    "nflxext.com.",
#    "nflximg.net.",
#    "nflxvideo.net.",
#    "nflxso.net.",
]

Non-authoritative answer:
Name:    smtp-relay.gmail.com
Address:  209.85.144.28

Non-authoritative answer:
Name:    i.ytimg.com
Address:  172.217.164.246

bruor · Jun 2, 2020, 11:23 PM

@mrsunfire If you make sure that you don't have the "register DHCP leases in the DNS resolver" option enabled you'll experience no issues :)

mrsunfire · Jun 3, 2020, 3:32 AM

I don‘t have this enabled and it works like a charm. :)