--- /dev/null
+[[!meta title="Blocking IPv6 DNS queries to remote servers"]]
+
+I've run into an "interesting" issue with DNSWL (a great
+whitelisting/blacklisting service) recently. As part of their DNS
+query abuse/freeloading mitigation, [DNSWL blocks DNS queries (or
+returns results that marks all hosts as high-confidence non-spam
+sources) for hosts which repeatedly exceed reasonable query
+limits](https://www.dnswl.org/?p=120) to help funnel large users to
+their subscription service.
+
+Requests from my mail host to dnswl via IPv6 started to trigger the
+more serious mitigation where DNSWL returns bogus results (every
+result is high confidence that it is not spam).
+
+It appears that they are binning requests via IPv6 into large blocks
+(/64 or larger). As my mail host runs in a larger hosting provider's
+network, all of the DNS requests in that block are binned together,
+and exceed the limits, resulting in bogus results.
+
+Bind has an interesting feature where you can [mark certain DNS
+servers as "bogus" to ignore query results from
+them.](https://bind9.readthedocs.io/en/v9_16_6/reference.html#server-statement-definition-and-usage).
+Using this feature, we can ignore the dnswl IPv6 servers which are
+returning bad results, and only use IPv4 to contact them:
+
+```
+server 2a01:7e00:e000:293::a:1000 { bogus yes; };
+server 2607:5300:201:3100::3e79 { bogus yes; };
+server 2600:3c01::21:1faa { bogus yes; };
+server 2a01:4f8:c2c:52e::feed { bogus yes; };
+server 2400:8901::f03c:91ff:fee9:a89 { bogus yes; };
+server 2a01:4f8:1c0c:708f::53 { bogus yes; };
+```
+
+Hope that helps anyone else (and future me) running into this issue.
+
+
+[[!tag dns ipv6]]
projects / don.git / blobdiff