In our quest to roll out IPv6 intranet-wide, we ran into a weird issue with how we do VPN requiring us to filter out AAAA records being served to VPN connected clients. At first, this didn't seem very easy. Then, pdns-recursor to the rescue!

On more recent (>=3.1.7 versions), pdns-recursor can take in scripts (in real time, btw) to modify the way it operates. This is super handy and luckily, there is a filter-aaaa script available on github that does exactly what we want!!

Running a test instance on my laptop forwarding questions about our internal domain to our main dns server:

pdns_recursor --daemon=no --local-address=0.0.0.0 --local-port=5300 --forward-zones=internal.net=10.1.1.11 --lua-dns-script=/tmp/filter-aaaa.lua  

Now when querying with dig for a host we know has a AAAA record set, we merely get no answer whatsoever:

?[~]> dig aaaa @127.0.0.1 -p 5300 server.internal.net

; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> aaaa @127.0.0.1 -p 5300 server.internal.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 65066
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;server.internal.net.        IN  AAAA

;; Query time: 3 msec
;; SERVER: 127.0.0.1#5300(127.0.0.1)
;; WHEN: Mon Mar 09 16:31:34 EDT 2015
;; MSG SIZE  rcvd: 38

Additionally, if you wanted to do other sorts of filtering, pdns lets you do this with a fancy function described here.

Blog Logo

Mario Loria


Published

Image

./scriptthe.net

Because 127.0.0.1 gets old after a while.

Back to Overview