Filter AAAA option in BIND 9

When acting as a resolver, BIND 9 has an option to filter AAAA (IPv6 address) records returned to the client, based on the transport used for the query (IPv4 or IPv6) and other filtering conditions.  This filtering does not affect the recursive queries made by the server (if any) as a result of the client request.

To use this filtering, the following conditions must be met:

  • BIND 9 must be compiled with a special build-time option (./configure --enable-filter-aaaa), and
  • an options statement to enable it (for example, filter-aaaa-on-v4 yes; and/or filter-aaaa-on-v6 yes;) must be declared in named.conf.
  • the client must not be blocked in the filter-aaaa ACL (this defaults to any, so is not generally the case)

If AAAA filtering is active for a given transport, and a query for type AAAA or ANY is received via that transport, then AAAA records will be omitted from the response, UNLESS the response is DNSSEC-signed.

If filter-aaaa-on-v4 or filter-aaaa-on-v6 is set to break-dnssec instead of yes, then AAAA records will be omitted even if they are signed. RRSIG records covering type AAAA will be omitted as well.

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: