Zentyal Configuration to Disable IPv6 DNS Responses

From Notes_Wiki

Home > Zentyal > Zentyal Configuration to Disable IPv6 DNS Responses


Configure Zentyal to Not Return IPv6 Addresses

Objective: Prevent the Zentyal DNS server (BIND) from returning IPv6 (AAAA) records in DNS responses.

Note: This configuration will work only if the filter-aaaa.so plugin is available and compiled with the installed BIND version on the Zentyal server. If the plugin is not present or not compatible with the BIND version in use, IPv6 (AAAA) record filtering will not function as expected.

Step 1: Update BIND Configuration

Edit the BIND options file on the Zentyal server and add the plugin block at the bottom of the file: 

vim /etc/bind/named.conf.options

Add the following configuration at the end of the file: 

plugin query "/usr/lib/x86_64-linux-gnu/bind/filter-aaaa.so" {
    filter-aaaa-on-v4 yes;
    # optionally, also filter IPv6 clients:
    # filter-aaaa-on-v6 yes;
    # optionally restrict which clients are filtered:
    # filter-aaaa { any; };
};

Save the file and exit.

Step 2: Restart the BIND Service

Restart the BIND service to apply the changes: 

systemctl restart bind9

Step 3: Make the changes persistent across reboot

a) Create the custom stub directory

Zentyal looks for custom templates in /etc/zentyal/stubs/. Create a subdirectory specifically for the DNS module. 

sudo mkdir -p /etc/zentyal/stubs/dns

b) Copy the original template

Copy the default Zentyal DNS template (.mas file) to the custom directory so you start from a working configuration. 

sudo cp /usr/share/zentyal/stubs/dns/named.conf.options.mas /etc/zentyal/stubs/dns/

c) Edit the custom template

Open the copied template file and add the required BIND configuration. 

sudo vim /etc/zentyal/stubs/dns/named.conf.options.mas

.
.
    allow-transfer { internal-local-nets; };
};

plugin query "/usr/lib/x86_64-linux-gnu/bind/filter-aaaa.so" {
    filter-aaaa-on-v4 yes;
    //filter-aaaa-on-v6 yes;
    //filter-aaaa { any; };
};

logging { category lame-servers { null; }; };

d) Apply the changes 

sudo zs dns restart

OR

Restart the server 

shitdown -r now

Step 4: Verify DNS Resolution

From any client machine, verify that IPv6 (AAAA) records are no longer returned.

Using nslookup: 

nslookup google.com

Using dig to query AAAA records explicitly: 

dig AAAA google.com

Expected Result: The above commands should not return any IPv6 (AAAA) addresses.


Notes:

  • This configuration only filters IPv6 responses from DNS.
  • IPv4 (A) record resolution will continue to work normally.
  • Ensure the path to filter-aaaa.so is correct for your system.


Home > Zentyal > Zentyal Configuration to Disable IPv6 DNS Responses

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Zentyal_Configuration_to_Disable_IPv6_DNS_Responses&oldid=9816"