Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: Unbound: AAAA-only mode #5944

Closed
2 tasks done
maurice-w opened this issue Aug 11, 2022 · 6 comments · Fixed by #5945
Closed
2 tasks done

Feature: Unbound: AAAA-only mode #5944

maurice-w opened this issue Aug 11, 2022 · 6 comments · Fixed by #5945
Assignees
@maurice-w
Labels
feature Adding new functionality
Milestone
23.1

Comments

@maurice-w
Copy link
Member

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

Is your feature request related to a problem? Please describe.

Some poorly implemented devices (IoT) do have IPv6 support, but prefer IPv4 whenever possible. These devices do perform DNS queries for A + AAAA records. If both exist, they should use IPv6, but actually use IPv4. Some devices don't even "fall back" to IPv6 in case IPv4 connections fail. The solution to this is only sending AAAA records in DNS responses, which successfully forces these devices to use IPv6.

Describe the solution you like

I would like an option in the Unbound settings which removes all A records from responses. Since this only makes sense if all host names have AAAA records, this option should only apply if DNS64 is enabled.

Additional context

This is also useful for testing which devices / applications brake if there are no A records in DNS at all.
@maurice-w maurice-w mentioned this issue Aug 11, 2022
Merged
@fichtner fichtner added the feature Adding new functionality label Aug 11, 2022
@fichtner fichtner added this to the 23.1 milestone Aug 11, 2022
fichtner added a commit that referenced this issue Aug 11, 2022
@fichtner
unbound: reduce code size a little #5944
4bc0871
@fichtner
Copy link
Member

@maurice-w can you check 4bc0871 for me on top? too many variables in the config and if/else bootstrap for my taste

@maurice-w
Copy link
Member Author

@fichtner Thanks for the clean-up, works fine! We don't strictly need the .= and \n here, do we?

core/src/etc/inc/plugins.inc.d/unbound.inc

Line 128 in 4bc0871

$dns64_config .= "\ndns64-prefix: {$config['unbound']['dns64prefix']}";

Same here for .=:

core/src/etc/inc/plugins.inc.d/unbound.inc

Line 131 in 4bc0871

$module_config .= 'respip ';

@fichtner
Copy link
Member

for consistency and later additions all the conditionals should only append (and clear lines if they add full configuration lines).

@maurice-w
Copy link
Member Author

Makes sense, I'll keep that in mind. Thanks!

@KDGundermann
Copy link

sorry my dumb question but I'm new to OPNsense and Unbound
but is there also an A-only mode ?
(as we use only IPv4 in our network )

@maurice-w
Copy link
Member Author

@KDGundermann There is no A-only mode. What problem would that solve?

fichtner pushed a commit that referenced this issue Aug 24, 2022
@maurice-w @fichtner
Unbound: add AAAA-only mode #5944
f217356 
Allows removing all A records from responses.

(cherry picked from commit 98410ae)
(cherry picked from commit 4bc0871)
(cherry picked from commit 9fc7823)
@maurice-w maurice-w mentioned this issue Jan 3, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maurice-w maurice-w

Labels
feature Adding new functionality
Milestone
23.1
Development

Successfully merging a pull request may close this issue.

Unbound / DNS64: add AAAA-only mode maurice-w/opnsense-core
3 participants
@KDGundermann @fichtner @maurice-w