Maintained by: NLnet Labs

Filter AAAA records within a specific zone

Daisuke HIGASHI
Wed Jan 10 14:47:35 CET 2018


Hi,

There seems to be two ways to mitigate HE-Netflix issue with Unbound -

 * * *

If you know Netflix's all IPv6 address blocks, add these lines to unbound.conf:

 server:
  private-address: 2406:da00:ff00::/48
  private-address: 2607:fb10::/32
  private-address: 2620:0:ef0::/48
  private-address: 2a00:86c0::/32
  private-address: 2620:108:700f::/48
  ....

This configuration removes NF's AAAA(IPv6) record from Unbound's answer.

* * *

To implement AAAA filter for NF's domain,
you need to run two Unbound instances on your machine[1].

1. Start an Unbound instance which does AAAA filter for
   _all_ domains (listening port 10053)

# unbound-aaaa-filter.conf
 server:
  private-address: ::/0  # filters out all AAAA !
  port: 10053
  username: ""
  chroot: ""

2. Configure your main Unbound instance to forward netflix queries
   to AAAA-filter'ed instance.

# unbound-main.conf
 server:
  do-not-query-localhost: no
 forward-zone:
  name: netflix.com
  forward-addr: 127.0.0.1 at 10053
 forward-zone:
  name: nflximg.com
  forward-addr: 127.0.0.1 at 10053
 forward-zone:
  name: nflxext.com
  forward-addr: 127.0.0.1 at 10053
  ....

[1] essentially same method to configure BIND9's AAAA filter per domain:
    https://serverfault.com/questions/826872/return-a-records-but-not-aaaa-records-on-specific-domain-in-bind9

--
 Daisuke HIGASHI