OPNsense Forum
English Forums => 23.7 Legacy Series => Topic started by: bcookatpcsd on December 01, 2023, 10:00:48 pm
-
squid no longer supports dns_v4_first.. which means that if squid gets an AAAA it will try to use it..
I enabled dnscrypt-proxy to filter out AAAA (made custom dns stamps as well..) records and it made a little bit of a difference in squid..
(not so much you could notice..)
Is there a way to get unbound to filter out AAAA (I know there used to be a python filter for it.. but that was a while ago..)
(the second image is a using the squid proxy to make the same query.. the red is trying to get the dns_v4_first working..)
Also.. any plans to update dnscrypt-proxy2?
Franks github says January 3, 2021 is when 2.0.45 came out..
Open to suggestions..
Thanks in advance..
-
Not sure what you're trying to achieve. If you don't want to use IPv6 for some reason, why not disable it on the WAN interface?
The current implementation of the Unbound AAAA-only mode works by loading the respip module and adding this directive:
response-ip: 0.0.0.0/0 redirect
You might be able to do the same for "A-only" by adding a custom configuration file. But be aware that this has a negative impact on Unbound's performance and memory footprint. The AAAA-only mode is only meant for testing and as workaround for some broken apps.
Cheers
Maurice
-
Unbound is not even compiled with FILTER_AAAA. Use BIND.
# pkg info unbound
unbound-1.19.0
Name : unbound
Version : 1.19.0
Installed on : Sat Nov 25 18:41:29 2023 CET
Origin : dns/unbound
Architecture : FreeBSD:13:amd64
Prefix : /usr/local
Categories : dns
Licenses : BSD3CLAUSE
Maintainer : jaap@NLnetLabs.nl
WWW : https://www.nlnetlabs.nl/projects/unbound
Comment : Validating, recursive, and caching DNS resolver
Options :
DEP-RSA1024 : off
DNSCRYPT : on
DNSTAP : off
DOCS : off
DOH : on
DYNLIB : on
ECDSA : on
EVAPI : off
FILTER_AAAA : off
GOST : on
HIREDIS : off
LIBEVENT : on
MUNIN_PLUGIN : off
PYTHON : on
SUBNET : off
TFOCL : off
TFOSE : off
THREADS : on
-
Thank you for that..
I was trying to get ECS going.. and could not confirm that it was working.. I couldn't find a way to find out what unbound was compiled with..
@maurice
If you don't use squid, then I agree it does not seem like a logical request.
if squid gets an AAAA entry it tries to process it, the dns_v4_first used to mitigate that..
modern squid seems to not respect that anymore..
This looks to be the squid answer:
(https://wiki.squid-cache.org/Features/IPv6)
Example creation in squid.conf:
acl to_ipv6 dst ipv6
acl from_ipv6 src ipv6
(and then something like)
http_access deny to_ipv6
there doesn't seem to be a way to from the gui to get to the squid.conf for local additions..
dnscrypt-proxy can filter (and log) ipv6/AAAA being blocked..
Doing so reduced the squid lag tremendously..
at least in my case (as shown in the graphs..)
Not sure if that helps..
-
I don't fully understand that squid issue, but regarding Unbound: The easiest option is to add ::/0 to the rebind protection networks (in the advanced settings). This should remove all AAAA records. Side effects TBD.
Cheers
Maurice
-
I don't fully understand that squid issue,
The issue is that squid tries to access the website using IPv6 even when the WAN connection is IPv4 only:
ERROR
The requested URL could not be retrieved
The following error was encountered while trying to retrieve the URL: https://www.heise.de/*
Connection to 2a02:2e0:3fe:1001:7777:772e:2:85 failed.
The system returned: (65) No route to host
The remote host or network may be down. Please try the request again.
Your cache administrator is administrator@xxxxx.xx.
Generated Mon, 04 Mar 2024 17:02:32 GMT by fw01.intern.xxxxx.xx (squid/6.5)