Page MenuHomePhabricator

PowerDNS config for upstream IPv6 nameservers is broken
Closed, ResolvedPublicBUG

Description

I have configured dns forwarding as follows:

# show service dns
 forwarding {
     domain 168.192.in-addr.arpa {
         server 2603:3024:423e:b9f1:3063:21ff:fee9:1234
         server 51.89.31.67
     }
     ignore-hosts-file
     listen-address 2604:3024:423e:b9f2::1
     listen-address 192.168.10.1
     listen-address 2604:3024:423e:b9f1::1
     listen-address 51.89.31.65
     listen-address 2604:3024:423e:b9f4::1
     listen-address 192.168.20.1
     listen-address 127.0.0.1
     name-server 2603:3024:423e:b9f1:3063:21ff:fee9:1234
     name-server 51.89.31.67
     name-server 52.41.86.239
 }

Notice that there are three upstream nameservers configured globally, and two configured for the RFC-1918 zones. (The latter is my workaround for PowerDNS recursor defaulting to refuse to send queries for RFC-1918 addresses.)

However, there are two problems with the IPv6 upstream nameserver configuration, as shown by the pdns-recursor logs:

Nov 07 10:55:34 core-rt.avernus.com pdns_recursor[20806]: Nov 07 10:55:34 NOT using IPv6 for outgoing queries - set 'query-local-address6=::' to enable
Nov 07 10:55:34 core-rt.avernus.com pdns_recursor[20806]: Nov 07 10:55:34 Only allowing queries from: 0.0.0.0/0
Nov 07 10:55:34 core-rt.avernus.com pdns_recursor[20806]: Nov 07 10:55:34 Will not send queries to: 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0
Nov 07 10:55:34 core-rt.avernus.com pdns_recursor[20806]: Nov 07 10:55:34 Redirecting queries for zone '168.192.in-addr.arpa' to: 0.0.10.43:3024, 51.89.31.67:53
Nov 07 10:55:34 core-rt.avernus.com pdns_recursor[20806]: Nov 07 10:55:34 Redirecting queries for zone '.' with recursion to: 0.0.10.43:3024, 51.89.31.67:53, 52.41.86.239:53

First, we need to set the config option query-local-address6=:: in recursor.conf, or no IPv6 nameservers will be queries. We should just do this by default, since we allow setting IPv6 addresses as name-servers.

Second, the IPv6 addresses are being garbled to 0.0.10.43:3024. That's because we haven't wrapped the IPv6 addresses in square brackets in recursor.conf:

...
# domain ... server ...
forward-zones=168.192.in-addr.arpa=2603:3024:423e:b9f1:3063:21ff:fee9:1234;50.79.34.67

# dnssec
dnssec=process-no-validate

# name-server
forward-zones-recurse=.=2603:3024:423e:b9f1:3063:21ff:fee9:1234;50.79.34.67;208.72.84.202

If I wrap the IPv6 addresses in [], then the addresses are configured correctly, and recursor doesn't waste its time sending queries to bogus IPv4 addresses.

# domain ... server ...
forward-zones=168.192.in-addr.arpa=[2603:3024:423e:b9f1:3063:21ff:fee9:1234];50.79.34.67

# dnssec
dnssec=process-no-validate

# name-server
forward-zones-recurse=.=[2603:3024:423e:b9f1:3063:21ff:fee9:1234];50.79.34.67;208.72.84.202

Details

Difficulty level
Unknown (require assessment)
Version
1.2.0-rc3
Why the issue appeared?
Design mistake

Event Timeline

gadams created this task.Nov 7 2018, 7:18 PM
syncer triaged this task as Normal priority.Nov 7 2018, 9:42 PM
gadams added a comment.Nov 8 2018, 7:40 PM

I have sent a pull request that adds support for outbound IPv6 queries, implementing what I described above: https://github.com/vyos/vyos-1x/pull/58.

c-po changed the task status from Open to In progress.Nov 8 2018, 8:20 PM
c-po assigned this task to gadams.
c-po changed Why the issue appeared? from Will be filled on close to Design mistake.
c-po closed this task as Resolved.Nov 9 2018, 6:51 AM