with 6.47.1 there was a change “*) dns - do not allow setting zero value IP addresses for “A” and “AAAA” records;” in the DNS which is causing me a problem.
On 6.47 I was able to set an AAAA record with zero IP address and the DNS replied with an NXDOMAIN. Thus I was able to force clients to use IPv4 to connect to certain domains.
This is essential as my router is multi-homed with 3 WAN and RouterOS 6 is not able to policy route IPv6 (as RouterOS 7.1beta1 seems to be able).
The solution was to simply set a zero IP address on the AAAA record which does not longer work on 6.47.1
Any idea, how this problem could be solved in 6.47.1 and maybe above?
However this is not specific to IPv6 and could cause clients to ignore the domain completely. I tend to set an AAAA record representing the IPv4 address:
/ip dns static add name=example.com type=AAAA address=::ffff:10.0.0.1
That’s not what I see. If I add zero address on 6.47 like this:
/ip dns static
add address=:: name=test.nx type=AAAA
and then query test.nx/AAAA, router returns :: as if it’s correct address. It’s up to client to understand that it’s not possible to connect to it and discard it. There should be the same result with @eworm’s IPv4-mapped address, because it’s not possible to connect to it either. But I’m not sure how much it’s possible to rely on all clients behaving the same.
In any case, it’s wrong. Proper way would be to have an option for router to pretend that there’s no data for given record name and type. But currently it’s not possible to do reliably, it’s inconsistent mess with behaviour dependent on whether you use DoH or not (see http://forum.mikrotik.com/t/v6-47-stable-is-released/140100/113).
If you want to add static IPv4 address (A record) and have clients use only that, then:
without DoH it works automatically, because router won’t return anything for AAAA even if it exists upstream
with DoH it doesn’t work, because router will return original AAAA from upstream resolver; you have to add some invalid AAAA static record to override it
If you want to only filter AAAA and have clients use original A from upstream:
without DoH you can’t, because if you add static (and invalid) AAAA, it will block also upstream A
with DoH you can, because static AAAA won’t affect original A
thanks for looking after my problem so quickly.
In the meanwhile I implemented “@eworm’s IPv4-mapped address” solution. So far this works perfectly. I will do more testing and come back if anything fails to update the status.