Yes, I’m an IPv6 fan and I strive to reach a good balance between running my self-hosted services on an IPv4 / IPv6 dual-stack and simplicity of configuration and maintenance. One service that had some issues in the past with IPv6 was OpenVPN. Perhaps things have gotten better but when I first installed the service many years ago, getting IPv6 through the tunnel just didn’t work. So I have an IPv4-only OpenVPN server at home and I have to make sure there is no IPv6 ‘leakage’ outside the tunnel if the local connectivity offers IPv6.
The answer to the problem was to install the bind9 DNS server and send configuration information to client devices during the VPN tunnel establishment to only use this DNS server. To prevent IPv6 leakage, I configured that DNS server to send empty responses to AAAA DNS requests. The fun part: This seems to be an ‘unloved’ feature in bind9 and so the way this is configured has changed every time I made an Ubuntu OS upgrade. So here’s how to configure bind9 to send empty answers to IPv6 AAAA requests:
On Ubuntu 18.04, the world was still simple. All that was required was to insert the following statement in /etc/bind/named.conf.options:
filter-aaaa-on-v4 yes;
In bind9 that came with Ubuntu 20.04, the functionality was moved into a loadable object module. In addition, distributions were free to omit the module during compile time, in which case one would have to remove bind9, download the source and compile and maintain it by hand. It was fun doing that on a Raspberry Pi once. Fortunately, this wasn’t necessary for Ubuntu 20.04. But slightly confusing, the configuration moved to another configuration file: /etc/bind/named.conf:
plugin query "/usr/lib/x86_64-linux-gnu/named/filter-aaaa.so" {
filter-aaaa-on-v4 yes;
filter-aaaa-on-v6 yes;
};
After upgrading to Ubuntu 22.04, bind9 again refused to start and left a note in the syslog file that filter-aaaa.so could not be loaded. And sure enough, the directory is gone. I was worried here for a minute but find revealed that the loadable module has moved to a different directory:
plugin query "/usr/lib/x86_64-linux-gnu/bind/filter-aaaa.so" {
filter-aaaa-on-v4 yes;
filter-aaaa-on-v6 yes;
};
Seriously? Hm, makes me wonder what the directory will be called in Ubuntu 24.04? Maybe they will notice that they forgot the ‘9’ after bind and will add it then? Just to make life fun. Sorry for the slightly sarcastic approach to this, but changing a configuration option in each new long term support version of the OS is not funny.