[Dnsmasq-discuss] Using dnsmasq to fake non-existence of IPv6 AAAA records

[Sachin Garg]

Hi all,

I have a possibly not-so unique use case to send an NXDOMAIN answer to
clients that query for an AAAA record for a specific domain. I am
running dnsmasq on an OpenWRT router.

Elaborating on the problem:
1. I have IPv6 connectivity through an HE.net (Hurrricane Electric) tunnel
2. Netflix has blocked access to their content via IPv6 emanating from
HE.net
3. The result: I am unable to access NetFlix on my iDevices. However, my
old Roku (that possibly does not support IPv6) works fine. This is why I
know that the problem is IPv6 related.

Proposed solutions:
1. On scouring the net, I found one of the solutions being to null-route
the Netflix IPv6 blocks, forcing my devices to try and connect via IPv4.
However, the Netflix IPv6 block actually is part of a larger AWS block,
so that means going without IPv6 for also many other AWS services.
(Aside: wondering why a large company like Netflix cannot get its own
IPv6 prefix?)

So, the alternative I am thinking of is to let my router's DNS server
(dnsmasq) lie about the non-existence of AAAA records for *.netflix.com.
Is there a way to make that happen? I have been able to block netflix by
using:

address=/netflix.com/127.0.0.1
address=/netflix.com/::1

However, just using:

address=/netflix.com/::1

Breaks it for IPv4 also.

So, any ideas as to how to do finer grained DNS filtering?

Thanks,
Sachin