dnsmasq 返回 HTTPS 而不是 NODATA

我正在尝试使用 dnsmasq 在 ubuntu 服务器上为连接到 VPN 的人们设置 DNS。我不希望人们从此 VPN 搜索成人内容网站。

因此我安装了 dnsmask 并将其设置为使用主机列表，禁止大多数已知的成人内容网站：https://github.com/Sinfonietta/hostfiles/blob/master/pornography-hosts

对于 pornhub.com 它正在运行并且我收到以下日志：

dnsmasq[2438]: query[HTTPS] pornhub.com from 10.8.0.4
dnsmasq[2438]: forwarded pornhub.com to x:x:x:x:x:x:x:x
dnsmasq[2438]: query[A] pornhub.com from 10.8.0.4
dnsmasq[2438]: /etc/hosts-porn-content pornhub.com is 0.0.0.0
dnsmasq[2438]: reply pornhub.com is NODATA

但是，由于某种原因，当某个网站可以通过 ipv6 解析时，客户端仍然可以访问该网站。例如，即使 dnsmasq 在 /etc/hosts-porn-content 中找到配置，hanime.tv 仍可解析：

dnsmasq[2438]: query[HTTPS] hanime.tv from 10.8.0.4
dnsmasq[2438]: forwarded hanime.tv to x:x:x:x:x:x:x:x
dnsmasq[2438]: query[A] hanime.tv from 10.8.0.4
dnsmasq[2438]: /etc/hosts-porn-content hanime.tv is 0.0.0.0
dnsmasq[2438]: reply hanime.tv is <HTTPS>

这是我的 dnsmasq 配置：

# On systems which support it, dnsmasq binds the wildcard address,
# even when it is listening on only some interfaces. It then discards
# requests that it shouldn't reply to. This has the advantage of
# working even when interfaces come and go and change address. If you
# want dnsmasq to really bind only the interfaces it is listening on,
# uncomment this option. About the only time you may need this is when
# running another nameserver on the same machine.
bind-interfaces
clear-on-reload
filter-AAAA

# If you don't want dnsmasq to read /etc/hosts, uncomment the
# following line.
#no-hosts
# or if you want it to read another file, as well as /etc/hosts, use
# this.
addn-hosts=/etc/hosts-porn-content

systemd-resolve 配置：

[Resolve]
# Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
# Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
# Google:     8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
# Quad9:      9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
DNS=127.0.0.1
#FallbackDNS=
#Domains=
#DNSSEC=no
#DNSOverTLS=no
#MulticastDNS=no
#LLMNR=no
#Cache=no-negative
#CacheFromLocalhost=no
DNSStubListener=no
#DNSStubListenerExtra=
#ReadEtcHosts=yes
#ResolveUnicastSingleLabel=no

OpenVPN 配置使用 DNS：

# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
push "redirect-gateway def1"

# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.  CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
push "dhcp-option DNS 10.8.0.1"

/etc/hosts内容：

127.0.0.1 localhost
127.0.1.1 serv

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

我尝试在运行 DNS 服务器的计算机上禁用 IPV6，但是客户端无法在网络上搜索任何内容...

并且 filter-AAAA 不起作用，至少我不明白它在做什么。

最后我通过执行以下操作清除 DNS 缓存：

resolvectl flush-caches
pkill -HUP dnsmasq
pkill -USR1 dnsmasq