From 3d90748dd3d1589c63b1aa7038d56dc8d9296247 Mon Sep 17 00:00:00 2001
From: Don Armstrong <don@donarmstrong.com>
Date: Thu, 30 Jun 2022 07:52:36 -0700
Subject: [PATCH] add post about blocking ipv6 queries

---
 posts/dnswl_ipv6_blocking.mdwn | 38 ++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 posts/dnswl_ipv6_blocking.mdwn

diff --git a/posts/dnswl_ipv6_blocking.mdwn b/posts/dnswl_ipv6_blocking.mdwn
new file mode 100644
index 0000000..c38fce4
--- /dev/null
+++ b/posts/dnswl_ipv6_blocking.mdwn
@@ -0,0 +1,38 @@
+[[!meta title="Blocking IPv6 DNS queries to remote servers"]] 
+
+I've run into an "interesting" issue with DNSWL (a great
+whitelisting/blacklisting service) recently. As part of their DNS
+query abuse/freeloading mitigation, [DNSWL blocks DNS queries (or
+returns results that marks all hosts as high-confidence non-spam
+sources) for hosts which repeatedly exceed reasonable query
+limits](https://www.dnswl.org/?p=120) to help funnel large users to
+their subscription service.
+
+Requests from my mail host to dnswl via IPv6 started to trigger the
+more serious mitigation where DNSWL returns bogus results (every
+result is high confidence that it is not spam). 
+
+It appears that they are binning requests via IPv6 into large blocks
+(/64 or larger). As my mail host runs in a larger hosting provider's
+network, all of the DNS requests in that block are binned together,
+and exceed the limits, resulting in bogus results.
+
+Bind has an interesting feature where you can [mark certain DNS
+servers as "bogus" to ignore query results from
+them.](https://bind9.readthedocs.io/en/v9_16_6/reference.html#server-statement-definition-and-usage).
+Using this feature, we can ignore the dnswl IPv6 servers which are
+returning bad results, and only use IPv4 to contact them:
+
+```
+server 2a01:7e00:e000:293::a:1000 { bogus yes; };
+server 2607:5300:201:3100::3e79 { bogus yes; };
+server 2600:3c01::21:1faa { bogus yes; };
+server 2a01:4f8:c2c:52e::feed { bogus yes; };
+server 2400:8901::f03c:91ff:fee9:a89 { bogus yes; };
+server 2a01:4f8:1c0c:708f::53 { bogus yes; };
+```
+
+Hope that helps anyone else (and future me) running into this issue.
+
+
+[[!tag dns ipv6]]
-- 
2.39.2