BIND 9.3.1 - How to get rid of AAAA querys?

Jeremy Chadwick koitsu at FreeBSD.org
Wed Sep 12 15:03:53 PDT 2007 

On Wed, Sep 12, 2007 at 09:45:21PM +0200, Andreas Pettersson wrote:
> When looking in the querylog for BIND 9.3.1 running on FreeBSD 5.4, almost 
> every other log entry specifies an AAAA query. The only client is 
> localhost. I see no reason right now to have BIND wasting resources on IPv6 
> requests, so I added
>
> named_flags="-4"
>
> to rc.conf and restarted named. Sockstat tells me named is listening only 
> on udp4 and tcp4, but I still get lots of AAAA entries in the querylog:
>
> 12-Sep-2007 21:40:47.129 client 127.0.0.1#60103: query: 
> smtp.secureserver.net IN AAAA +
> 12-Sep-2007 21:40:47.648 client 127.0.0.1#64489: query: 
> smtp.where.secureserver.net IN AAAA +
> 12-Sep-2007 21:40:47.847 client 127.0.0.1#61673: query: 
> smtp.secureserver.net IN A +
> 12-Sep-2007 21:40:47.869 client 127.0.0.1#53040: query: 
> mailstore1.secureserver.net IN AAAA +
> 12-Sep-2007 21:40:47.871 client 127.0.0.1#54473: query: 
> mailstore1.secureserver.net IN A +
> 12-Sep-2007 21:40:58.261 client 127.0.0.1#58124: query: 
> 120.86.248.87.in-addr.arpa IN PTR +
> 12-Sep-2007 21:40:58.340 client 127.0.0.1#56511: query: 
> static-ip-87-248-86-120.promax.media.pl IN AAAA +
> 12-Sep-2007 21:40:58.410 client 127.0.0.1#61212: query: 
> static-ip-87-248-86-120.promax.media.pl IN A +
>
> What can I do to get rid of these?

I'm not sure you can.  This is how I understand it:

The -4 switch just tells BIND, as a daemon, to only bind to/utilise IPv4
interfaces on your system.  That means named -4 will only listen on IPv4
addresses (e.g. 127.0.0.1) and not things like ::1.

That's completely separate from what *DNS records* BIND will see queries
for -- you have no control over those.  People can ask you for any type
of DNS record (A, AAAA, MX, CNAME, NS, TXT, whatever...) and your daemon
will respond for things it's authoritative for (or do recursive queries
if configured to do so).

In English: -4 won't completely remove IPv6-specific zone
data/capability from BIND, it'll just cause the actual daemon to not
bind to an IPv6 interface.

-- 
| Jeremy Chadwick                                    jdc at parodius.com |
| Parodius Networking                           http://www.parodius.com/ |
| UNIX Systems Administrator                      Mountain View, CA, USA |
| Making life hard for others since 1977.                  PGP: 4BD6C0CB |

More information about the freebsd-stable mailing list