[Pdns-users] LUA for "filter-aaaa-on-v4"

[Djerk Geurts]

> On 30 Oct 2023, at 09:50, Brian Candler <b.candler at pobox.com> wrote:
> 
> On 30/10/2023 09:10, Djerk Geurts via Pdns-users wrote:
>> 
>> Your right that once dual stack is enabled on parts of the network and in clients, then we'll need to be mindful of this. But, I would expect most dual stack clients to default to querying DNS using IPv6. In fact as we control the client IP addressing, we can ensure to convert DNS server settings to IPv6 when enabling dual stack.
> 
> DHCP(v4) can only give out IPv4 DNS server addresses. Therefore, your dual-stack clients will end up learning about both v4 and v6 DNS servers, and you cannot control which they use. You can *hope* that they will prefer the IPv6 ones, but you can't enforce it.
> 
> I can't really see what problem you're trying to solve.  Do you have evidence that certain client OSes are making DNS requests for AAAA addresses even when they don't have an IPv6 address? If so, have you measured the amount of extra network traffic or DNS recursor load these are generating, and is this significant in the overall picture?

That’s a fair point. I guess my thinking was to clean up the DNS caches a bit as I see a fair bit of AAAA recorded on the firewalls which resolve FQDN’s and don’t need to waste memory on that. As for the servers, they have a local IPv6 address, so in essence are dual stack as IPv6 is mostly not disabled on the sysctl level. But no IPv6 traffic is seen on the network, nor is the network configured for it.

As for the extra traffic due to AAAA requests, I expect this to be minimal. You’re probably right in your assessment that I’m trying to swat a fly with an elephant! Sometimes voicing an idea, is required to realise the futility of the initial thought...
> 
> Furthermore, even for IPv4-only single stack clients, it seems to me you are going to create more problems than you solve by trying to mess with this: it's a case of an unnecessary "optimisation". If you drop the requests you will force the clients to retry, which could add several seconds of latency before they give up. But if you respond to them, you might as well give the valid response to the query they asked for.

Thank you for your input. 

Incidentally all production machines use static IPs, not DHCP in this particular deployment, but doesn’t take much away from your valid input.