NLnetLabs
[FR] Exclude specific domain from DNS64 operation
Current behavior When DNS64 is enabled, the DNS64 operation is applied to all domains by default, with no option to exclude specific domains from DNS64 operation.
Attempts to exclude a domain from DNS64 operation have been unsuccessful:
- Forwarding the domain query to an external recursive DNS — The DNS64 operation is still applied to the response from the external DNS server.
- Overwriting the domain’s AAAA records using RPZ with 'nodata' — RPZ does not support rewriting only AAAA records. This results in both A and AAAA records being overwritten with 'nodata'.
Describe the desired feature Support for outdated or legacy applications that request AAAA records over IPv4 connectivity and persistently attempt to connect via IPv6 when receiving an IPv6 response from the DNS server.
Potential use-case To enable support for legacy applications that are incompatible with IPv6 connectivity but still request AAAA records.
I would like to see such a feature, too. My use case is that some hosts sit behind IPv4 routes with very small MTUs, smaller than IPv6's minimum MTU of 1280. What happens in such a case is that even dual-stacked hosts become unable to communicate with such hosts if they prefer to use the DNS64 AAAA address for communication.
Example of such a host: Backblaze's API servers.
My current workaround is to use two separate unbound instances, one with, one without DNS64, and point my IPv6-only hosts to the unbound instance with DNS64 enabled, increasing network admin complexity.
