I use unbound for DNS64. For the localdomain it IMO correctly does not synthesize AAAA records for local IPv4 machines, that's good IMO. However I have some more private domains in use. I have connected several routers using wireguard as site-to-site VPN. For these domain I set up forwarding and everything seems to work all right. But the unbound server seems to create the synthetic AAAA records for IPv4 hosts only in these remote sites. Can I disable that?
And out of curiosity can I do opposite -- force the synthesized addresses for localdomain.
There’s an Unbound option dns64-ignore-aaaa:
1 Like
I think that's almost opposite what I want. This will force AAAA synthesis even for records that actually have real AAAA records.
But as you can also see, Unbound offers few options for the dns64 module. You might get better answers on the unbound-users mailing list.
Many years ago people used this Python script with Unbound.
Not sure if that is the best way, but you can probably try the following approach:
- Configure dnsmasq to stop providing AAAA responses completely or just for specific domain(s)
- Configure unbound to use dnsmasq for the same domain(s)
Not sure if we understand each other. I am fine with "real" AAAA records. I want to prevent the dns64 module of the unbound server from creating "fake" AAAA records out of A records for my internal networks.
I have a remote site, let's call it remote-site., connected to my local network via wireguard. I did setup forwarding in the unbound server to the dnsmasq server running on the router of the remote-site.. Forwarding works. But when I try ping ip4-only-host.remote-site. it starts to ping "fake" IPv6 address (address derived using nat64 prefix and the ipv4). The dnsmasq of the remote site does not return AAAA record it only returns A record. The dns64 module of the unbound server make up the "fake" AAAA record however.
Note that for localdomain it works as expected, if I ping ipv4-only-host.localdomain. it does not ping "fake" IPv6 address.
I even try to consult Gemini 2.5 pro AI.
Please do not shoot me.
I take everything it says with grain of salt of size of Mt. Everest.
First it told me to use dns64-ignore-aaaa which is obviously nonsense.
Then it told me something about "tags/views". I might use views to bypass dns64 for some domain. If the AI is not making shit up. But that would mean I need to probably completely bypass UCI and create unbound config manually.
Especially when it comes to openwrt AI is making shit up.