On Nov 24, 2016, at 3:54 AM, Trevor Cordes trevor@tecnopolis.ca wrote:

First I found this named option: filter-aaaa-on-v4 (and -v6) "It is intended to help the transition from IPv4 to IPv6 by not giving IPv6 addresses to DNS clients unless they have connections to the IPv6 Internet." Super description and chart here: https://kb.isc.org/article/AA-00576/0/Filter-AAAA-option-in-BIND-9-.html https://kb.isc.org/article/AA-00576/0/Filter-AAAA-option-in-BIND-9-.html

This came up recently for me in another discussion. As an IPv6 pioneer, I'm fully IPv6 enabled and have been for the last 10 years or so. At some points that has been over HE.net IPv6 tunnels, and more recently that has been native IPv6 access. As I'm my own ISP, and I do my own BGP for myself, the address ranges I use for myself are properly registered and located in Winnipeg, Manitoba so I don't have any issues running Netflix with their latest "war on tunnels". However, for people who have a HE.net IPv6 tunnel (very very common), which has IPv6 space which is registered in the US, this causes issues with netflix when requests start cross countries of apparent origin.

One of the solutions I found that worked quite nicely was to run a separate recursive DNS server for netflix users that had the filter-aaaa-on-* options enabled. Queries for netflix domains are then routed to this DNS server that strips out the AAAA records so that netflix runs only over the IPv4 connection, originating from a Canadian IP keeping netflix happy.

Theodore Baschak - AS395089 - Hextet Systems https://ciscodude.net/ - https://hextet.systems/ http://mbix.ca/