Maintained by: NLnet Labs

[Unbound-users] Modifying answer with the Python API

Christophe Labonne
Fri Oct 24 10:20:14 CEST 2014


I was able to find an answer to my problem, so I guess my new question
would be: "Do you have any helpers in the Python API to decode Wireformat?"
Currently doing them and I'm nowhere near finished if I have to do them all
by hand.

Now, to answer to your other question about internet being broken in Japan.
Short answer: Yes.

Long answer: NTT has implemented a country-wide broken service that relies
on a completely "in-house rule" use of IPv6.
They give default IPv6 routes to subscribers of specific on-demand video
services, that only work in IPv6 and within their closed network.

When a user subscribed to such a service, the end result is that upon
resolving a website, like, say google.com,
their OS first tries accessing the v6 version (as it should), but since
this is not an actual internet service (even though they use public v6
addresses ...),
the connection attempt ends up timeouting.

When the user is lucky, the program will then fallback to IPv4... only
after the IPv6 attempt timeouted.
Every ISP and admin in Japan is angry at NTT for deciding this one-sidedly,
but this has been shoved down their throats and it's impossible to go
against the flow.

This has forced everyone to use extremely bad practices for DNS management
until this service gets phased out :
- If a user makes an explicit AAAA record query :
-> Does the target domain have both A and AAAA ?
  -> If they do, return an empty answer (drop the AAAA record)
  -> If they only have AAAA, then return AAAA
- If a user makes any other query (including ANY query) :
 -> Drop the AAAA record

This is what is called commonly a Quad-A filter (AAAA Filter), and there
exists patches for BIND.
However, in our work scenario, we can not afford to use BIND as we are
exposed to reflection attacks (customers having poorly configured routers,
that act as DNS open resolvers) and it performs too poorly under stress
scenarios.
Unbound happens to be able to handle the traffic in a smart way, and
provide adequate performance, but we would have a need to implement a
AAAA-filter to even use it without breaking NTT services...

I am alas perfectly aware that this goes against the goals of IPv6
implementation, that it breaks DNSSEC and does a lot of Bad Things(tm)... :(
However, we have to make do while they prepare the new services that will
allow easier and cleaner native IPv6 connections...

Again, thanks for your time.

2014-10-24 16:49 GMT+09:00 A. Schulze <sca at andreasschulze.de>:

>
> Christophe Labonne:
>
> no answer to you real question, sorry.
>
> but:
>
>> Because of the way internet works in Japan, I need to filter the DNS
>> requests so that it doesn't show AAAA except for a few websites
>>
>
> I me it reads as "we in japan have a broken internet, we cannot handle
> IPv6"
> Could you explain more about the /problem/ then describing your idea of a
> solution?
>
> Thanks
>
>
>
>
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>



-- 
LABONNE Christophe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20141024/566f6da5/attachment.html>