disable ipv6 source query

Hillary Nelson nelsonhillary8 at gmail.com
Tue Sep 27 02:27:30 UTC 2016 

We have this configured on our server

server ::/0 { bogus yes; };

Just recently noticed the config above can  actually cause problems to
resolve hostnames. It works if hostname and the nameserver hosted it are on
same TLD, for example  isc.org's nameserver are all on isc.org domain so
server doesn't need to make extra trip to get nameserver IP. But if the
hostname and nameservers are on different TLD like org.org(hosted by
gandi.net), mit.edu(hosted by akam.net), trying to resolve those names can
cause random ServFail.

For example to resolve org.org,  our nameserver sends separate A/AAAA query
for each NS of org.org(a|b|c.dns.gandi.net), if gandi's nameserver returns
AAAA query to our nameserver first, our nameserver immediately sends back
'ServFail' to client.

Here are relevant tcpdumps, 192.168.2.1 is our nameserver IP, immediately
after got "AAAA 2001:4b98:abcb::1", 192.168.2.1sends ServFail to client
10.0.2.1. Can someone help explain why??

Server is linux with private IPv6 and public IPv4, bind-9.9.9-P2, also
tried on server with only IPv4 stack but not running with '-4', same
problem.

21:50:06.241074 IP 192.168.2.1.40214 > 217.70.177.45.53: 39763% [1au] AAAA?
b.dns.gandi.net. (44)
21:50:06.244717 IP 192.33.14.30.53 > 192.168.2.1.36814: 47777- 0/9/9 (788)
21:50:06.244828 IP 192.33.14.30.53 > 192.168.2.1.21146: 51773- 0/9/9 (788)
21:50:06.244949 IP 192.168.2.1.44748 > 217.70.177.45.53: 58879% [1au] A?
c.dns.gandi.net. (44)
21:50:06.245028 IP 192.168.2.1.31154 > 217.70.177.45.53: 20056% [1au] AAAA?
a.dns.gandi.net. (44)
21:50:06.245312 IP 192.33.14.30.53 > 192.168.2.1.52630: 45706- 0/9/9 (788)
21:50:06.245323 IP 192.33.14.30.53 > 192.168.2.1.24836: 29881- 0/9/9 (788)
21:50:06.245367 IP 192.33.14.30.53 > 192.168.2.1.41506: 55177- 0/9/9 (788)
21:50:06.245482 IP 192.168.2.1.33406 > 217.70.177.45.53: 60412% [1au] AAAA?
c.dns.gandi.net. (44)
21:50:06.245488 IP 192.168.2.1.7636 > 217.70.177.45.53: 56644% [1au] A?
b.dns.gandi.net. (44)
21:50:06.245723 IP 192.168.2.1.52639 > 217.70.177.45.53: 50741% [1au] A?
a.dns.gandi.net. (44)
21:50:06.351604 IP 217.70.177.45.53 > 192.168.2.1.40214: 39763*- 1/5/10
AAAA 2001:4b98:abcb::1 (359)
21:50:06.352037 IP 192.168.2.1.53 > 10.0.2.1.57356: 57631 ServFail 0/0/1
(36)

Thanks!
Hillary



On Tue, Jun 21, 2016 at 9:55 PM, Warren Kumari <warren at kumari.net> wrote:

>
>
> On Tuesday, June 21, 2016, Mark Andrews <marka at isc.org> wrote:
>
>>
>>         server ::/0 { bogus yes; };
>
>
> Eeeeeeeeww! That's gross, but in a bizarrely satisfying way.
>
> W
>
>
>
>>
>> In message <CAJS9+YbY3VL3kEhtJMt58eKQrF6QazfvT3k
>> HVy05q26LMPTmkg at mail.gmail.com>, Hillary Nelson writes:
>> > We are moving our v6 DNS from F5 to anycast, since F5 can translate
>> address
>> > from v6 to v4, our backend servers are still only v4 and we never have
>> > problem to resolve hostname with v4 only.
>> >
>> > Now for anycast, I want to enable v6 with private address only, but
>> seems
>> > like named favors v6 and using it to source query other nameserver, it
>> will
>> > try v4 if v6 fails, like this(I've configured source-query-v6 address
>> ::1
>> > so v6 always fails):
>> >
>> > 21:04:33.303536 IP6 ::1.34892 > 2001:dcd:1::7.53: 33940% [1au] A?
>> > example.com. (48)
>> > 21:04:34.146521 IP 1.1.1.1.58822 > 2.2.2.2: 55501% [1au] A? example.com
>> .
>> > (48)
>> >
>> >
>> > My question is how to config named to only using v4 address to query
>> other
>> > nameserver, but still keep an listening v6 address?
>> >
>> > Thanks in advance!!
>> > Hillary
>> >
>> --
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
>
> --
> I don't think the execution is relevant when it was obviously a bad idea
> in the first place.
> This is like putting rabid weasels in your pants, and later expressing
> regret at having chosen those particular rabid weasels and that pair of
> pants.
>    ---maf
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160926/1fbfeb04/attachment.html>

More information about the bind-users mailing list