50 lines
1.7 KiB
Plaintext
50 lines
1.7 KiB
Plaintext
# CoreDNS as a plain forwarding resolver with selective AAAA suppression.
|
|
#
|
|
# Background: the ISP provides no native IPv6, only a Hurricane Electric tunnel.
|
|
# HE addresses are flagged as datacenter ranges by some sites (endless CAPTCHAs,
|
|
# bot detection). To avoid this, IPv6 (AAAA) resolution is suppressed by default
|
|
# so clients use IPv4, while a whitelist keeps AAAA for domains where native
|
|
# IPv6 is wanted (our own services reachable over the HE prefix, and any domain
|
|
# explicitly trusted over IPv6).
|
|
#
|
|
# NAT64/DNS64 was tried and removed: it forced most traffic through a userspace
|
|
# Tayga translator, capping throughput at ~250 Mbps on the RB-class CPU (line
|
|
# rate is 1 Gbps) and adding two containers as a SPOF — all to avoid IPv6 egress
|
|
# we don't want in the first place. Plain AAAA suppression achieves the same
|
|
# IPv4-preferred outcome with zero datapath overhead.
|
|
#
|
|
# TODO: replace the global template suppression + whitelist with a plugin that
|
|
# suppresses AAAA only when the domain has no A record (so IPv6-only
|
|
# destinations still work). No such in-tree plugin exists yet.
|
|
|
|
# Whitelist: domains that keep AAAA resolution (native IPv6 via HE tunnel).
|
|
(aaaa_allowed) {
|
|
forward . 1.1.1.1 8.8.8.8 {
|
|
prefer_udp
|
|
}
|
|
cache 300
|
|
errors
|
|
log
|
|
}
|
|
|
|
# Our own zone: services have native IPv6 on the HE prefix, keep AAAA.
|
|
lumpiasty.xyz:53 {
|
|
import aaaa_allowed
|
|
}
|
|
|
|
# Default: forward everything, but suppress AAAA so clients use IPv4 and
|
|
# avoid the HE tunnel's datacenter-flagged egress.
|
|
.:53 {
|
|
template IN AAAA {
|
|
rcode NOERROR
|
|
}
|
|
forward . 1.1.1.1 8.8.8.8 {
|
|
prefer_udp
|
|
}
|
|
cache 300
|
|
errors
|
|
log
|
|
reload
|
|
health :8080
|
|
}
|