BIND: Disabling IPv6 responses in bind dns server

2023-04-13

Debian Linux Networking

When using Bind9 as DNS service in your own network, it can be helpful to disable IPv6 (AAAA) responses to avoid the client to try to communicate via IPv6 if it hasn't been setup.

When doing a DNS request for a domain which has both IPv4 and IPv6 entries you could have a response like:

~] host www.example.org
www.example.org has address 93.184.216.34
www.example.org has IPv6 address 2606:2800:220:1:248:1893:25c8:1946

# or
~] host www.wikipedia.org
www.wikipedia.org is an alias for dyna.wikimedia.org.
dyna.wikimedia.org has address 91.198.174.192
dyna.wikimedia.org has IPv6 address 2620:0:862:ed1a::1

You can check ipv6 aaaa record with awesome linux dig utility also:

~] dig AAAA www.example.org

; <<>> DiG 9.16.22-Debian <<>> AAAA www.example.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31420
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
; COOKIE: 405da6e620b47a7d010000006437cf4a86aedff0e973e470 (good)
;; QUESTION SECTION:
;www.example.org.               IN      AAAA

;; ANSWER SECTION:
www.example.org.        82447   IN      AAAA    2606:2800:220:1:248:1893:25c8:1946

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Apr 13 11:45:46 CEST 2023
;; MSG SIZE  rcvd: 100

To disable IPv6 (AAAA) responses we can filter it out when it is doing a DNS request over IPv4 with filter-aaaa.so plugin. filter-aaaa.so is a query plugin module for named, enabling named to omit some IPv6 addresses when responding to clients.

Until BIND 9.12, this feature was implemented natively in named and enabled with the filter-aaaa ACL and the filter-aaaa-on-v4 and/or filter-aaaa-on-v6 options. These options are now deprecated in named.conf but can be passed as parameters to the filter-aaaa.so plugin.

When you have a new bind dns server version, you can see this message in log files: option 'filter-aaaa-on-v4' is obsolete and should be removed

To do this we edit /etc/bind/named.conf and add new section for filter-aaaa.so plugin:

plugin query "filter-aaaa.so" {
    filter-aaaa-on-v4 yes;
    filter-aaaa-on-v6 yes;
    filter-aaaa { any; };
};

Once this is done reload configuration or restart Bind9:

# reload bind configuration
~] rndc reload

# or restart bind dns server
~] systemctl restart named

Now, you can check new configuration:

~] host -4 www.wikipedia.org 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases: 

www.wikipedia.org is an alias for dyna.wikimedia.org.
dyna.wikimedia.org has address 91.198.174.192

You receive only ipv4 record also for ipv6 dns requests:

~] host -6 www.wikipedia.org 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: ::ffff:127.0.0.1#53
Aliases: 

www.wikipedia.org is an alias for dyna.wikimedia.org.
dyna.wikimedia.org has address 91.198.174.192

Disable ipv6 dns responses for view bind statement

If you use a view statement in bind configuration, you can see this log message: when using 'view' statements, all plugins must be defined in views.

You must define configuration for filter-aaaa.so plugin in a view statement:

view "dns-default" {
    match-clients { any; };
    match-destinations { any; };
    recursion yes;

.
.
.

    plugin query "filter-aaaa.so" {
        filter-aaaa-on-v4 yes;
        filter-aaaa-on-v6 yes;
        filter-aaaa { any; };
    };

};

bind options

filter-aaaa.so: filter-aaaa.so is a query plugin module for named, enabling named to omit some IPv6 addresses when responding to clients.
filter-aaaa: This option specifies a list of client addresses for which AAAA filtering is to be applied. The default is any
filter-aaaa-on-v4: If set to yes, this option indicates that the DNS client is at an IPv4 address, in filter-aaaa. If the response does not include DNSSEC signatures, then all AAAA records are deleted from the response. This filtering applies to all responses, not only authoritative ones.; If set to break-dnssec, then AAAA records are deleted even when DNSSEC is enabled. As suggested by the name, this causes the response to fail to verify, because the DNSSEC protocol is designed to detect deletions.; This mechanism can erroneously cause other servers not to give AAAA records to their clients. If a recursing server with both IPv6 and IPv4 network connections queries an authoritative server using this mechanism via IPv4, it is denied AAAA records even if its client is using IPv6.
filter-aaaa-on-v6: This option is identical to filter-aaaa-on-v4, except that it filters AAAA dns responses to queries from IPv6 clients instead of IPv4 clients. To filter all responses, set both options to yes.