Blocking IPv6 DNS queries to remote servers

I've run into an "interesting" issue with DNSWL (a great whitelisting/blacklisting service) recently. As part of their DNS query abuse/freeloading mitigation, DNSWL blocks DNS queries (or returns results that marks all hosts as high-confidence non-spam sources) for hosts which repeatedly exceed reasonable query limits to help funnel large users to their subscription service.

Requests from my mail host to dnswl via IPv6 started to trigger the more serious mitigation where DNSWL returns bogus results (every result is high confidence that it is not spam).

It appears that they are binning requests via IPv6 into large blocks (/64 or larger). As my mail host runs in a larger hosting provider's network, all of the DNS requests in that block are binned together, and exceed the limits, resulting in bogus results.

Bind has an interesting feature where you can mark certain DNS servers as "bogus" to ignore query results from them.. Using this feature, we can ignore the dnswl IPv6 servers which are returning bad results, and only use IPv4 to contact them:

server 2a01:7e00:e000:293::a:1000 { bogus yes; };
server 2607:5300:201:3100::3e79 { bogus yes; };
server 2600:3c01::21:1faa { bogus yes; };
server 2a01:4f8:c2c:52e::feed { bogus yes; };
server 2400:8901::f03c:91ff:fee9:a89 { bogus yes; };
server 2a01:4f8:1c0c:708f::53 { bogus yes; };

Hope that helps anyone else (and future me) running into this issue.

Posted