Zentyal Configuration to Disable IPv6 DNS Responses

Home > Zentyal > Zentyal Configuration to Disable IPv6 DNS Responses

Configure Zentyal to Not Return IPv6 Addresses

Objective: Prevent the Zentyal DNS server (BIND) from returning IPv6 (AAAA) records in DNS responses.

Note: This configuration will work only if the filter-aaaa.so plugin is available and compiled with the installed BIND version on the Zentyal server. If the plugin is not present or not compatible with the BIND version in use, IPv6 (AAAA) record filtering will not function as expected.

Step 1: Update BIND Configuration

Edit the BIND options file on the Zentyal server and add the plugin block at the bottom of the file:

vim /etc/bind/named.conf.options

Add the following configuration at the end of the file:

plugin query "/usr/lib/x86_64-linux-gnu/bind/filter-aaaa.so" {
    filter-aaaa-on-v4 yes;
    # optionally, also filter IPv6 clients:
    # filter-aaaa-on-v6 yes;
    # optionally restrict which clients are filtered:
    # filter-aaaa { any; };
};

Save the file and exit.

Step 2: Restart the BIND Service

Restart the BIND service to apply the changes:

systemctl restart bind9

Step 3: Verify DNS Resolution

From any client machine, verify that IPv6 (AAAA) records are no longer returned.

Using nslookup:

nslookup google.com

Using dig to query AAAA records explicitly:

dig AAAA google.com

Expected Result: The above commands should not return any IPv6 (AAAA) addresses.

Notes:

• This configuration only filters IPv6 responses from DNS.
• IPv4 (A) record resolution will continue to work normally.
• Ensure the path to filter-aaaa.so is correct for your system.

Home > Zentyal > Zentyal Configuration to Disable IPv6 DNS Responses