In our quest to roll out IPv6 intranet-wide, we ran into a weird issue with how we do VPN requiring us to filter out AAAA records being served to VPN connected clients. At first, this didn’t seem very easy. Then, pdns-recursor to the rescue!

On more recent (>=3.1.7 versions), pdns-recursor can take in scripts (in real time, btw) to modify the way it operates. This is super handy and luckily, there is a filter-aaaa script available on github that does exactly what we want!!

Running a test instance on my laptop forwarding questions about our internal domain to our main dns server:

pdns_recursor --daemon=no --local-address= --local-port=5300 --lua-dns-script=/tmp/filter-aaaa.lua

Now when querying with dig for a host we know has a AAAA record set, we merely get no answer whatsoever:

?[~]> dig aaaa @ -p 5300

; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> aaaa @ -p 5300
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 65066
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0


;; Query time: 3 msec
;; WHEN: Mon Mar 09 16:31:34 EDT 2015
;; MSG SIZE  rcvd: 38

Additionally, if you wanted to do other sorts of filtering, pdns lets you do this with a fancy function described here.

Mario Loria is a builder of diverse infrastructure with modern workloads on both bare-metal and cloud platforms. He's traversed roles in system administration, network engineering, and DevOps. You can learn more about him here.