# CoreDNS as a plain forwarding resolver with selective AAAA suppression.
#
# Background: the ISP provides no native IPv6, only a Hurricane Electric tunnel.
# HE addresses are flagged as datacenter ranges by some sites (endless CAPTCHAs,
# bot detection). To avoid this, IPv6 (AAAA) resolution is suppressed by default
# so clients use IPv4, while a whitelist keeps AAAA for domains where native
# IPv6 is wanted (our own services reachable over the HE prefix, and any domain
# explicitly trusted over IPv6).
#
# NAT64/DNS64 was tried and removed: it forced most traffic through a userspace
# Tayga translator, capping throughput at ~250 Mbps on the RB-class CPU (line
# rate is 1 Gbps) and adding two containers as a SPOF — all to avoid IPv6 egress
# we don't want in the first place. Plain AAAA suppression achieves the same
# IPv4-preferred outcome with zero datapath overhead.
#
# TODO: replace the global template suppression + whitelist with a plugin that
# suppresses AAAA only when the domain has no A record (so IPv6-only
# destinations still work). No such in-tree plugin exists yet.

# Whitelist: domains that keep AAAA resolution (native IPv6 via HE tunnel).
(aaaa_allowed) {
    forward . 1.1.1.1 8.8.8.8 {
        prefer_udp
    }
    cache 300
    errors
    log
}

# Our own zone: services have native IPv6 on the HE prefix, keep AAAA.
lumpiasty.xyz:53 {
    import aaaa_allowed
}

# Default: forward everything, but suppress AAAA so clients use IPv4 and
# avoid the HE tunnel's datacenter-flagged egress.
.:53 {
    template IN AAAA {
        rcode NOERROR
    }
    forward . 1.1.1.1 8.8.8.8 {
        prefer_udp
    }
    cache 300
    errors
    log
    reload
    health :8080
}