Maintained by: NLnet Labs

Filter AAAA records within a specific zone

Dave Warren
Tue Jan 9 19:53:59 CET 2018

That's... Ugly. Effective though, and appreciated!

I was hoping for something that could work at the domain level rather 
than at the individual host level, but it appears only BIND offers this 
and I don't intend to switch from Unbound to BIND.

Can I assume this list has been at least somewhat static?

If not, or if I run into more services where this is an issue, I might 
need to bring up a BIND resolver just for these particular domains and 
have Unbound just forward these domains to BIND, but this too seems 
uglier than I'd like.

Either way, this will seem to get things working in the short term, and 
your efforts sorting it out and documenting are definitely making life 
easier in the short term, so my thanks!

On 2018-01-07 17:39, Jeremy Baker via Unbound-users wrote:
> I ran into this problem a while back, and posted my unbound solution here:
> On 01/06/2018 05:05 PM, Dave Warren via Unbound-users wrote:
>> Howdy!
>> Is there a way to have unbound filter/block AAAA records from being
>> returned from a specific zone?
>> It seems like BIND might allow this using the filter-aaaa-on-v6
>> directive, I'm looking for something similar in Unbound.
>> The underlying issue is that we've recently added HE's IPv6
>> tunnelbroker to our network, but certain services
>> *cough*Netflix*cough* reject traffic sent through a HE tunnel. I'm
>> looking for a way to force problem services through IPv4 and it seems
>> like one possible approach would be to limit their domains from
>> retrieving AAAA records.