Blocking AAAA in Dnsmasq on AsusWRT/Merlin

[jarmka]

I've found little info on the web about this. There are no commands I had found that worked. I have came across a patch that adds an option for filtering AAAA in dnsmasq however: https://gist.github.com/bearice/7d3dc0e63e003d752622

Does anyone have any experience with this kind of thing? Or do you know of a better way?

Some reasons to do so:
https://isc.sans.edu/diary/Command+and+Control+Channels+Using+"AAAA"+DNS+Records/21301

Some wise words I have come across:

PS: Contrary to popular belief here on SF, there are some good reasons to disable IPv6/AAAA on a machine in a IPv4-only network, even where DNS works: Reduce broadcast load; Reduce load on DNS resolvers by almost 50%; Reduce connection start-up times (significantly where DNS caches are laggy); Follow best practices to disable non-functional features to enhance security and stability. Admittedly, if i forget to re-enable IPv6 once it becomes available, then my system becomes IPv4 legacy ballast that impedes IPv6 rollout. One should be allowed to weigh the listed pros against this con

 

[accolito]

I replied you on the other thread, shortly:
1) ask @RMerlin to patch current dnsmasq;
2) use bind instead of dnsmasq (not really a wise choice)

 

[jarmka]

@RMerlin; would you do the honors?

 

[ColinTaylor]

@RMerlin; would you do the honors?

If you think it's a worthwhile patch then I suggest you ask the dnsmasq developer to incorporate it into the mainline code.

 

[jarmka]

@ColinTaylor

I have spoken to him. I feel it is an important 'option' giving people room to experiment, I'll keep talking to him.