25.7.8 Unbound blocklist source nets

Started by gpfountz, November 26, 2025, 08:28:30 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
December 02, 2025, 11:20:46 PM #15
Mainly, none of the RFC authors ever considered that with the abundance of IPv6 addresses, any ISP would ever even think of using dynamic prefixes. Alas, that is the reality for most consumer setups now.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
December 02, 2025, 11:21:44 PM #16
Quote from: meyergru on December 02, 2025, 11:20:46 PMMainly, none of the RFC authors ever considered that with the abundance of IPv6 addresses, any ISP would ever even think of using dynamic prefixes. Alas, that is the reality for most consumer setups now.

Nailed it!
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 07:29:01 AM #17
True, but it doesn't explain why e.g. Unbound or Kea do not have dynamic prefix support built in as of today.


Cheers,
Franco
Today at 07:36:47 AM #18
Maybe people should open github issues with Kea and Unbound then asking for it. :0

Could be the projects are simply unaware.
Hardware:
DEC740
Today at 07:42:43 AM #19
Maybe if OpenWrt and OPNsense would push for that it would gain some traction, yet it's also a literal uphill battle while software authors try to keep their scope small at the price of some else dealing with all the consequences.


Cheers,
Franco
Today at 07:51:42 AM #20
At least for Unbound the fix is rather simple from a configuration perspective.

Reject humanity (IPv6 DNS Server IP), return to monkey (IPv4 only DNS internally)

Should not hurt the client too much in dual stack networks.

So IPv6 reject rule in PF for DNS.
Hardware:
DEC740
Print
Go Up Pages 1 2
User actions