Is it possible to not resolve ipv6 certain dns domains?

Lazer13 · Sep 23, 2024, 1:25 PM

Hi,

I'm in a kind of a pickle.
A customer wants to give us access to their Atera instance.
They have ip filtering enabled and whitelisted our external ipv4 address.
When we try to connect we get rejected since atera resolves as ipv6 and we use ipv6 to reach atera.
Atera, in their infinite wisdom, does not support whitelisting ipv6 adresses.

SO, is there a way to make pfsense only resolve ipv4 for certain domains?
Alternatively can i make a policy route that forces ipv4 for certain domains?

Regards, Lars

Gertjan · Sep 23, 2024, 2:50 PM

@Lazer13 said in Is it possible to not resolve ipv6 certain dns domains?:

SO, is there a way to make pfsense only resolve ipv4 for certain domains?

and block AAAA request ?
pfSense, aka the resolver will do its job as asked.
~~You could probably do something with domain overrides~~ or install pfBlockerng and use this option :

as it was included just for that : block AAAA requests of all domain names listed.

edit : Non, forget about host overrides.
You probably have to pick the correct unbound's config settings, see https://nlnetlabs.nl/documentation/unbound/unbound.conf/ )

Lazer13 · Sep 25, 2024, 8:56 AM

Awesome, thanks!
Didn't notice that feature of pfblocker before. Will try it :)

Lazer13 · Sep 25, 2024, 9:03 AM

It works flawlessly. Very nice.
Unfortunately I still get error trying to login to atera but now I know ipv6 is not to blame :)

-flo- 0 · Oct 13, 2024, 7:06 PM

Sorry, this is probably a dumb question, but where exactly do I find these settings? I installed pfblockerng but didn't find anything like this in the settings ...

Lazer13 · Oct 14, 2024, 6:33 AM

It's only easy once you know. :)

Go into DNSBL and enable "no AAAA".
When you enable it you get a new section called Python no AAAA List.
Domains you put there will only resolve IPv4.

-flo- 0 · Oct 14, 2024, 7:17 AM

@Lazer13

Thank you for trying to help. I'm feeling kinda dumb right now.

I select Firewall - pfBlockerNG. I now see a menu line with items General, IP, DNSBL, etc. There I select DNSBL and get a configuration screen. Neither in this nor in any of its three subscreens there is an item "AAAA". I even searched for the string.

Maybe there is a problem with my configuration? I let the wizard create a default configuration after I installed pfBlockerNG yesterday. After this in the services widget the entry pfb_filter is shown as running, whereas the entry pfb_dnsbl is not. I cannot start this service from the widget.

I must be missing something totally obvious.

Gertjan · Oct 14, 2024, 7:20 AM

@flo-0

Switch from the old 'unbound' mode (see image) to the new Python mode.

-flo- 0 · Oct 14, 2024, 7:27 AM

@Gertjan

This does it!

Thank you all, you are may today's champions!