I've got dnsmasq running on my home network, which is dual-stack. I'm
playing around with ipv6, mostly with the goal of learning it. I've
got a machine on my network called brix. It's got both slaac and
dhcpv6 assigned addresses. Which means that when I dig it, I get
this:

$ dig brix.choward.ca aaaa +short
fd0f:e273:26d2:0:feaa:14ff:fead:b208
fd0f:e273:26d2::16
2601:xxx:xxx:xxx::16
2601:xxx:xxx:xxx:feaa:14ff:fead:b208

The DNS cache cycles through those answers nicely. However, because
the answer mixes GUA and ULA and DNS cycles through the response
order, it's non-deterministic which address I'll use when I browse to
the HTTP server. This makes setting up ACLs hard. It also doesn't
allow me to follow the recommendation of preferring ULA when I'm
staying within my home network. (https://tools.ietf.org/html/rfc7368)

What I'd like to do is have dnsmasq return only the ULA addresses from
within my home network. I assume some people would prefer the
reverse, depending on how they've deployed dnsmasq. How can I filter
to return ULA answers only? I'm not seeing an obvious way.

Thanks,
Craig