I want to selectively override AAAA records resolution for Netflix domains yet keep A records resolution intact - as described in this (https://gist.github.com/jamesmacwhite/6a642cb6bad00c5cefa91ec3d742e2a6) Github gist. Yes, I use Tunnelbroker for IPv6 and still want to use Netflix...
The problem is that the Unbound overrides in OPNSense are impacting both A and AAAA at the same time; if I redirect netflix.com to ::, the override will work for both A and AAAA request, as tested by dig commands:
dig @192.168.1.1 netflix.com AAAA
dig @192.168.1.1 netflix.com A
Am I doing it wrong? Is this by design for current Unbound implementation? Any idea how to achieve the desired result of overriding AAAA but not A records?
to provide more details for reproduction:
- create a single override in Services/Unbound/Overrides:
Host: *
Domain: netflix.com
Type: A or AAAA
IP: ::
here are dig results before the entry:
dig @192.168.1.1 netflix.com AAAA
; <<>> DiG 9.16.1-Ubuntu <<>> @192.168.1.1 netflix.com AAAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7685
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;netflix.com. IN AAAA
;; ANSWER SECTION:
netflix.com. 21 IN AAAA 2620:108:700f::3424:eece
netflix.com. 21 IN AAAA 2620:108:700f::340b:d31a
netflix.com. 21 IN AAAA 2620:108:700f::22d8:7a24
netflix.com. 21 IN AAAA 2620:108:700f::22d1:16ca
netflix.com. 21 IN AAAA 2620:108:700f::342b:d6c4
netflix.com. 21 IN AAAA 2620:108:700f::23a1:2008
netflix.com. 21 IN AAAA 2620:108:700f::341a:4fae
netflix.com. 21 IN AAAA 2620:108:700f::3427:1a02
dig @192.168.1.1 netflix.com A
; <<>> DiG 9.16.1-Ubuntu <<>> @192.168.1.1 netflix.com A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23065
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;netflix.com. IN A
;; ANSWER SECTION:
netflix.com. 20 IN A 52.33.157.25
netflix.com. 20 IN A 52.25.226.150
netflix.com. 20 IN A 54.187.176.196
netflix.com. 20 IN A 52.11.104.17
netflix.com. 20 IN A 35.161.95.70
netflix.com. 20 IN A 34.208.21.204
netflix.com. 20 IN A 34.216.180.180
netflix.com. 20 IN A 34.215.127.206
and after the entry:
dig @192.168.1.1 netflix.com A
; <<>> DiG 9.16.1-Ubuntu <<>> @192.168.1.1 netflix.com A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6521
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;netflix.com. IN A
;; Query time: 0 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Thu Oct 15 13:47:01 PDT 2020
;; MSG SIZE rcvd: 40
dig @192.168.1.1 netflix.com AAAA
; <<>> DiG 9.16.1-Ubuntu <<>> @192.168.1.1 netflix.com AAAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8831
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;netflix.com. IN AAAA
;; ANSWER SECTION:
netflix.com. 3600 IN AAAA ::
;; Query time: 0 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Thu Oct 15 13:47:12 PDT 2020
;; MSG SIZE rcvd: 68
Clearly a single override impacted both AAAA and A records.