[Dnsmasq-discuss] Why not merge filter-A/AAAA into filter-rr
moistice at riseup.net
moistice at riseup.net
Wed Jul 23 09:52:29 UTC 2025
--filter-A
Remove A records from answers. No IPv4 addresses will be returned.
--filter-AAAA
Remove AAAA records from answers. No IPv6 addresses will be
returned.
--filter-rr=<rrtype>[,<rrtype>...]
Remove records of the specified type(s) from answers. The
otherwise-nonsensical --filter-rr=ANY has a special meaning: it filters
replies to queries for type ANY. Everything other than A, AAAA, MX and
CNAME records are removed. Since ANY queries with forged source
addresses can be used in DNS amplification attacks (replies to ANY
queries can be large) this defangs such attacks, whilst still supporting
the one remaining possible use of ANY queries. See RFC 8482 para 4.3 for
details.
If you add those 2 lines to dnsmasq.conf;
filter-AAAA
filter-rr=AAAA,MX,TXT
I expect DNSmasq filter out 3 RRs, but one may think "filter-AAAA"
overrides "filter-rr" and vice versa.
Why not deprecate filter-A/AAAA and encourage user to switch to
filter-rr for clarity?
More information about the Dnsmasq-discuss
mailing list