Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Blocking AAAA (IPv6) Requests

See original GitHub issue

I’m running OpenWRT with dnsmasq on my personal router where I use the generated hostfile.

The Problem Host names that are blocked by the hostsfile (0.0.0.0 redirect) can be bypassed by AAAA requests.

Background: nslookup google-analytics.com (which is blocked by the hostsfile) on a local machine in my network returns “0.0.0.0” and a remote IPv6 adress.

Looking into the log files of the router one could see that the A-Request is blocked by the hostsfile, but the AAAA request is redirected to the remote DNS-Server.

Solution Shouldn’t we start blocking AAAA (IPv6) requests as well by generating ::1 entries to the existing entries? That would result in a doubled size of the hosts file.

0.0.0.0 www.blocked-host-nr-1.com 0.0.0.0 www.blocked-host-nr-2.com

would become

0.0.0.0 www.blocked-host-nr-1.com 0.0.0.0 www.blocked-host-nr-2.com ::1 www.blocked-host-nr-1.com ::1 www.blocked-host-nr-2.com

Testing As a “real life test” I applied the mentioned change (adding ::1 entry for every 0.0.0.0 entry). The log files show that within 20 hours there were 49 of the ::1 entries that were blocked (which normally wouldn’t have been).

So this really seems to be a thing to think about.

The point is that I’m not 100% sure if that applies to hosts files on local machines too or if that’s just a dnsmasq thing.

I myself find it necessary to implement the AAAA Blocking as well. For personal use I wrote a script for that. The question is if you want/need to integrate this in your project.

Any ideas or opinions anyone?

Issue Analytics

  • State:open
  • Created 8 years ago
  • Reactions:1
  • Comments:16 (7 by maintainers)

github_iconTop GitHub Comments

3reactions
dnmTXcommented, May 14, 2018

I know this is a old post but i just want to thank @hd074 for implementing the solution.I recently figured out how to use dnsmasq on my router and noticed that all IPv6 addresses going trough and i found this post which saved me a lot of time to research on “how to”.I’m pretty sure that this post would help others like me in the future so i’ll post how i decided to do it: I basically (due to using two hosts files from different sources) first removing empty lines,comments etc. on both of them then merging them and removing duplicates if any and then creating additional identical hosts file for the IPv6 only and adding it (addn-hosts=) to dnsmasq.conf (the whole process takes about 11 sec. which is not bad). Now dnsmasq reads from two hosts files and so far i didn’t notice any delays when loading pages which is very good news.I’ll post my little script here just for reference if anyone needs it:

#!/bin/sh

wget https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews/hosts -O /media/AiDisk_a1/Hosts/addhosts wget https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/win10/spy.txt -O /media/AiDisk_a1/Hosts/windowshosts sed -i ‘/#/d; /^$/d; /^255/d; /^127/d; /::/d; /^0.0.0.0 0.0./d’ /media/AiDisk_a1/Hosts/addhosts sed -i ‘/^#/d; /^$/d’ /media/AiDisk_a1/Hosts/windowshosts # remove duplicates and merge both files awk ‘!x[$0]++’ /media/AiDisk_a1/Hosts/addhosts /media/AiDisk_a1/Hosts/windowshosts > /media/AiDisk_a1/Hosts/hosts # check again for duplicates in the new “hosts” file uniq -d /media/AiDisk_a1/Hosts/hosts # create additional IPv6 hosts file cat /media/AiDisk_a1/Hosts/hosts | sed ‘s/0.0.0.0/::/g’ > /media/AiDisk_a1/Hosts/IPv6 # prints the number of lines to compare(for testing) wc -l /media/AiDisk_a1/Hosts/hosts wc -l /media/AiDisk_a1/Hosts/IPv6 # remove the original files rm /media/AiDisk_a1/Hosts/addhosts /media/AiDisk_a1/Hosts/windowshosts # restart dnsmasq killall dnsmasq && /usr/sbin/dnsmasq exit 0

THANKS AGAIN TO ALL PARTICIPANTS

1reaction
liamengland1commented, Feb 24, 2020

stale bot has a typo in template… 14 daysif no (needing space)

Read more comments on GitHub >

github_iconTop Results From Across the Web

How do I block all AAAA queries? : r/pihole - Reddit
I don't allow public IPv6 and I would like to block all AAAA requests but I can't figure out how with pihole. They...
Read more >
Option to block/not forward all AAAA queries - Implemented
I have a IPv4 only network and would like to block all AAAA queries (~20% of total queries). They will not be of...
Read more >
How to prevent delays associated with IPv6 AAAA records?
How to prevent delays associated with IPv6 AAAA records? · Disable IPv6 on client? Nope, Microsoft says IPv6 is a mandatory part of...
Read more >
1027452 – glibc: [RFE] Provide mechanism to disable AAAA ...
Blocks : · 1594286 ... My system is completely IPv6 disabled* (I have no IPv6 address assigned to ... Why the resolver all...
Read more >
The AAAA record — NsLookup learning
The AAAA DNS record type was created to hold IPv6 addresses. ... the company's servers experience many more IPv6 requests than in the...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Simplify windows instructions

Next page

pytypes breaks @autoreload in a somewhat dangerous way