In our quest to roll out IPv6 intranet-wide, we ran into a weird issue with how we do VPN requiring us to filter out AAAA records being served to VPN connected clients. At first, this didn't seem very easy. Then, pdns-recursor to the rescue!
On more recent (>=3.1.7 versions), pdns-recursor can take in scripts (in real time, btw) to modify the way it operates. This is super handy and luckily, there is a filter-aaaa script available on github that does exactly what we want!!
Running a test instance on my laptop forwarding questions about our internal domain to our main dns server:
pdns_recursor --daemon=no --local-address=0.0.0.0 --local-port=5300 --forward-zones=internal.net=10.1.1.11 --lua-dns-script=/tmp/filter-aaaa.lua
Now when querying with dig for a host we know has a AAAA record set, we merely get no answer whatsoever:
?[~]> dig aaaa @127.0.0.1 -p 5300 server.internal.net ; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> aaaa @127.0.0.1 -p 5300 server.internal.net ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 65066 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;server.internal.net. IN AAAA ;; Query time: 3 msec ;; SERVER: 127.0.0.1#5300(127.0.0.1) ;; WHEN: Mon Mar 09 16:31:34 EDT 2015 ;; MSG SIZE rcvd: 38
Additionally, if you wanted to do other sorts of filtering, pdns lets you do this with a fancy function described here.