Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IPV6 related issue on bind 9.16.1 on Ubuntu 20.04

Status
Not open for further replies.
dl12345

dl12345

Technical User
Joined
Feb 8, 2021
Messages
2
Location
GB
I'm running a recursive bind 9.16.1 on my Ubuntu 20.04. It's just an internal LAN server, so not serving as an authoritative server for any domains. It's not using any forwarders and it's running dnssec.

When forced to run only over ipv4 with the -4 command line switch, everything works fine.

However, if I allow it to use ipv6 for queries, my logs are literally flooded with errors such as the following, at a very high rate of many per second.

Code: 
08-Feb-2021 20:02:26.405 query-errors: client @0x7f0350013dd0 127.0.0.1#42665 (incoming.telemetry.mozilla.org): query failed (SERVFAIL) for incoming.telemetry.mozilla.org/IN/A at query.c:6883

I've checked the obvious: ipv6 is functional and the machine can reach the public ipv6 internet. Port 53 is not filtered.

I'm somewhat perplexed by this behaviour. Is there anything obvious I should be looking at to track down the cause of this failure?

Code: 
root@ubuntu:~# nmap -6 -sU -p53 2001:4860:4860::8888
Starting Nmap 7.80 ( [URL unfurl="true"]https://nmap.org[/URL] ) at 2021-02-08 20:06 GMT
Nmap scan report for dns.google (2001:4860:4860::8888)
Host is up (0.023s latency).

PORT   STATE SERVICE
53/udp open  domain

Nmap done: 1 IP address (1 host up) scanned in 0.49 seconds

Code: 
root@ubuntu:~# nslookup
> a.root-servers.net
Server:		127.0.0.1
Address:	127.0.0.1#53

Non-authoritative answer:
Name:	a.root-servers.net
Address: 198.41.0.4
Name:	a.root-servers.net
Address: 2001:503:ba3e::2:30
> 
> server 2001:503:ba3e::2:30
Default server: 2001:503:ba3e::2:30
Address: 2001:503:ba3e::2:30#53
> b.root-servers.net
Server:		2001:503:ba3e::2:30
Address:	2001:503:ba3e::2:30#53

Non-authoritative answer:
Name:	b.root-servers.net
Address: 199.9.14.201
Name:	b.root-servers.net
Address: 2001:500:200::b
>
 
Sort by date Sort by votes
The answer is that there was an IPv6 firewall rule redirecting DNS queries to a local server that wasn't excluding the internal server's queries...
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Blind Faith
  • Locked
  • Question Question
Bind9 master insisting on checking NS at root
Replies
5
Views
12K
YoBo7
YoBo7
Propus Gemini
  • Locked
  • Question Question
BIND don't resolve Microsoft Teams URL
Replies
1
Views
12K
iggsterman
iggsterman
R. B.
  • Locked
  • Question Question
BIND BLOCK IN ANY REQUEST
Replies
0
Views
10K
R. B.
R. B.
alpha76
  • Locked
  • Question Question
Advice on DNS setup/configuration
Replies
3
Views
11K
technome
technome
Richard Carter
  • Locked
  • Question Question
Set up BIND on DNS server for local home server
Replies
0
Views
11K
Richard Carter
Richard Carter

Part and Inventory Search

Sponsor

Back
Top