In message <CAEBgQMwhZkpsd=apjdzydcg+5hmzqsw_uefm2hgngczmjk0...@mail.gmail.com>
, Paul Reilly writes:
> Hello gurus,
>
> Is it possible using the BIND resolver to filter out AAAA record replies to
> end clients?
BIND 9.10 has the following but we are not yet up to alpha release state
yet.
3327. [func] Added 'filter-aaaa-on-v6' option; this is similar
to 'filter-aaaa-on-v4' but applies to IPv6
connections. (Use "configure --enable-filter-aaaa"
to enable this option.) [RT #27308]
> Since Google added an IPv6 AAAA record, I'm having problems with some Macs
> trying to connect to Google on IPv6 instead of IPv4.
> We have a partial IPv6 network. IPv6 works internally, but outbound
> internet access is only permitted using IPv4.
One needs to ask "why?". There are plenty of tunnel providers if
your ISP don't offer native IPv6 and most of them are free and there
are stateful IPv6 firewalls that can be configured to allow in only
reply traffic.
> However the Macs are seeing the IPv6 address for google.com, and trying to
> connect over IPv6 which eventually just times out.
Are you routers generating ICMPv6 unreachables? Are you letting
them reach the clients? You need to make the network behave as if
there is a down external IPv6 link and the router that is connected
to it is sending back unreachables.
> We don't have desktop control over our large Mac user base, so turning off
> IPv6 is not so easy.
Are you Mac's running Lion? It does a good job of moving traffic
to IPv4 if IPv6 is unreachable.
> I was thinking I could configure BIND to only return A records from
> google.com and not any AAAA records.
>
> Is this possible?
>
> Thanks
> Paul
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
