Knowledge Base ISC Main Website Ask a Question/Contact ISC
Filter AAAA option in BIND 9
Author: Michael Graff Reference Number: AA-00576 Views: 19254 Created: 2011-12-22 22:42 Last Updated: 2017-08-09 21:53 0 Rating/ Voters

AAAA Filtering

When acting as a resolver, BIND 9 has an option to filter AAAA (IPv6 address) records returned to the client, based on the transport used for the query (IPv4 or IPv6) and other filtering conditions.  This filtering does not affect the recursive queries made by the server (if any) as a result of the client request.

In order to use this filtering, the following conditions must be met:

  • BIND 9 must be compiled with a special build-time option (./configure --enable-filter-aaaa), and 
  • an options statement to enable it (for example, filter-aaaa-on-v4 yes; and/or filter-aaaa-on-v6 yes;) must be declared in named.conf.
  • the client must not be blocked in the filter-aaaa ACL (this defaults to any, so is not generally the case)

If AAAA filtering is active for a given transport, and a query for type AAAA or ANY is received via that transport, then AAAA records will be omitted from the response, UNLESS the response is DNSSEC-signed.

If filter-aaaa-on-v4 or filter-aaaa-on-v6 is set to break-dnssec instead of yes, then AAAA records will be omitted even if they are signed. RRSIG records covering type AAAA will be omitted as well.


© 2001-2017 Internet Systems Consortium

For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.

ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.

Feedback 2
  • #
    [Paul Ebersman]: 2013-01-28 15:23

    Should make it clear that this option merely filters responses to clients; it does not limit what queries the recursive server makes to auth servers. ie. if the hope is to cut down on recursive DNS traffic to the internet for AAAA/ip6.arpa requests, this is not the droid you're looking for.

  • #
    [Brian Conry]: Re: 2013-08-14 21:23

    That is a very good point. Do the most recent edits make that clear?

Quick Jump Menu