Host PC that support IPv6 protocol query a domain name procedure is send AAAA DNS query first, then A DNS record, that would delay response time, because most of website cannot support ipv6 and that they doesnot have ipv6 domain record, we need suppressed AAAA dns query before all of website enabled ipv6 protocol.
First I have tried to disable ipv6 on my host pc by executed "echo 1 > /proc/sys/net/ipv6/all/disable_ipv6" but it not work, then I have trying to drop AAAA dns query on my intermediate NAT& VPN device, following is the method that work fine to me.
Reference:
http://stackoverflow.com/questions/14096966/can-iptables-allow-dns-queries-only-for-a-certain-domain-name
https://github.com/oskar456/xt_dns/issues/1
Method 1: Use iptables extension xt_dns to match dns query type
step 1. download xt_dns iptables extension module source code from here:
http://software.klolik.org/xt_dns/
or: https://github.com/oskar456/xt_dns
step 2. Compile & install .so file(How to compile iptables xt mod? reference here: https://github.com/netoptimizer/IPTV-Analyzer/blob/master/iptables-module/README.compile)
step 3. insmod *.so file and added iptables rules depend on ur need, following url is example, don't forget save it.
http://software.klolik.org/xt_dns/#example
Beacause I do not have permission to insmod iptables on my vps, I have use then next method right now, it's works fine.
Method 2: Use iptables --match-set(-m) option
iptables -N AAAA
iptables -I FORWARD 1 -p udp -s 192.168.0.0/16 --dport 53 -j AAAA
iptables -A AAAA -m string --algo bm --from 40 --hex-string '|001c|' -j DROP
reference: 'man iptables-extensions' then search 'string'
This didn't work. I needed to just do this:
回复删除iptables -I OUTPUT -p udp --dport 53 -m string --algo bm --hex-string '|1c|' --from 40 -j DROP