Page MenuHomePhabricator

PowerDNS config can't handle listening on IPv6 addresses
Closed, ResolvedPublicBUG

Description

The current config syntax allows a single kind of listening address, listen-address. This sets the local-address option in /etc/powerdns/recursor.conf. Unfortunately, local-address is only for IPv4 addresses; a separate local-ipv6 setting in recursor.conf is required for IPv6 addresses.

See the documentation here: https://doc.powerdns.com/md/authoritative/settings/#local-address
and: https://doc.powerdns.com/md/authoritative/settings/#local-ipv6

As a result, this configuration:

# show service dns
 forwarding {
     ignore-hosts-file
     listen-address 2604:3024:423e:b9f2::1
     listen-address 192.168.10.1
     listen-address 2604:3024:423e:b9f1::1
     listen-address 51.89.31.65
     listen-address 2604:3024:423e:b9f4::1
     listen-address 192.168.20.1
     listen-address 127.0.0.1
     name-server 2604:3024:423e:b9f1:3063:21ff:fee9:1234
     name-server 51.89.31.67
     name-server 52.41.86.239
 }

creates this setting in recursor.conf:

# listen-on
local-address=2604:3024:423e:b9f2::1,192.168.10.1,2604:3024:423e:b9f1::1,51.89.31.65,2604:3024:423e:b9f4::1,192.168.20.1,127.0.0.1

The server does not, in fact, listen on any of the IPv6 addresses, although it does listen on the IPv4 addresses without complaint.

There should probably be a separate listen-address-v6 config option, or something similar.

Details

Difficulty level
Unknown (require assessment)
Version
1.2.0-rc3
Why the issue appeared?
Implementation mistake
gadams created this task.Nov 7 2018, 6:42 AM
gadams updated the task description. (Show Details)Nov 7 2018, 6:45 AM
c-po added a subscriber: c-po.Nov 7 2018, 7:35 AM

We should keep listen-address for all address types but we are able to distinguish between them when building up recursor.conf

syncer triaged this task as Normal priority.
c-po added a comment.Nov 7 2018, 1:01 PM

The links you refer are for PowerDNS Authoritative Server, we are using PowerDNS Recursor, see https://doc.powerdns.com/recursor/settings.html#local-address

Can it be that your upstream IPv6 nameserver is ill formated? 2604:3024:423e:b9f1:3063:21ff:fee91234 does not look like an IPv6 address

gadams updated the task description. (Show Details)Nov 7 2018, 5:58 PM
gadams added a comment.Nov 7 2018, 6:05 PM

Yes, I concur that keeping just listen-address for both address types would definitely be preferable, and we should just distinguish between them when building the config, if needed.

Sorry I pulled up the wrong docs. And no, that was just a typo I made while copying and pasting. (I've just fixed it, to reduce confusion.) The problem is definitely not in the upstream DNS servers; I can successfully make queries against the pdns_recursor instance using IPv4 addresses, including 127.0.0.1, and the answers come back correctly. Queries to any of the IPv6 addresses, on the other hand, are simply never responded to.

gadams added a comment.Nov 7 2018, 6:14 PM

The plot thickens, however. According to netstat -an | grep :53, it is listening on the IPv6 addresses specified.

tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN
tcp        0      0 192.168.20.1:53         0.0.0.0:*               LISTEN
tcp        0      0 51.89.31.65:53          0.0.0.0:*               LISTEN
tcp        0      0 192.168.10.1:53         0.0.0.0:*               LISTEN
tcp6       0      0 2604:3024:423e:b9f4::53 :::*                    LISTEN
tcp6       0      0 2604:3024:423e:b9f1::53 :::*                    LISTEN
tcp6       0      0 2604:3024:423e:b9f2::53 :::*                    LISTEN
udp        0      0 127.0.0.1:53            0.0.0.0:*
udp        0      0 192.168.20.1:53         0.0.0.0:*
udp        0      0 51.89.31.65:53          0.0.0.0:*
udp        0      0 192.168.10.1:53         0.0.0.0:*
udp6       0      0 2604:3024:423e:b9f4::53 :::*
udp6       0      0 2604:3024:423e:b9f1::53 :::*
udp6       0      0 2604:3024:423e:b9f2::53 :::*

However, it doesn't work:

# dig @192.168.20.1 -x 8.8.8.8
...
;; ANSWER SECTION:
8.8.8.8.in-addr.arpa.	86400	IN	PTR	google-public-dns-a.google.com.

;; Query time: 92 msec
;; SERVER: 192.168.20.1#53(192.168.20.1)
...
# dig @2604:3024:423e:b9f2::1 -x 8.8.8.8
; <<>> DiG 9.9.5-9+deb8u16-Debian <<>> @2604:3024:423e:b9f2::1 -x 8.8.8.8
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

I have no firewall rules set on these internal interfaces. This is from the VyOS router, itself, but I see the same results when I query from other local machines.

What could be going on? My initial diagnosis was clearly mistaken.

gadams added a comment.Nov 7 2018, 6:19 PM
This comment was removed by gadams.
gadams added a comment.Nov 8 2018, 3:18 AM

Aha! I have figured out what causes pdns-recursor not to answer requests on its IPv6 sockets, even though it binds to them. It's the allow-from setting. If I change it from:

allow-from=0.0.0.0/0

to:

allow-from=0.0.0.0/0, ::/0

then everything works.

This is part of the non-configurable defaults section, so I suppose we should just change it.

c-po added a comment.Nov 8 2018, 11:06 AM

Can you search for the following file on your device and edit it to test your proposed changes:

https://github.com/vyos/vyos-1x/blob/current/src/conf_mode/dns_forwarding.py#L39

location should be: /usr/libexec/vyos/conf/mode/dns_forwarding.py

c-po claimed this task.Nov 8 2018, 3:08 PM
c-po closed this task as Resolved.
c-po changed Why the issue appeared? from Will be filled on close to Implementation mistake.
gadams added a comment.Nov 8 2018, 6:20 PM

Yes, that change works. I'll look forward to it appearing in an RC. :)