nsd users - Jan 2023 - NSD not reachable over IPv6 without ip-address option

Hi Pim,

This issue comes up quite frequently.

If you don't configure NSD to bind to a specific IPv6 address, then when 
it is constructing a DNS response packet, it doesn't set the source 
address in it. It passes the packet to the OS, which then selects a 
route for the packet, and sets the source address appropriate for that 
route. If you have multiple interfaces on the server, or multiple IPv6 
addresses on an interface, then the OS can pick the wrong one, and the 
client will receive a DNS reply from an address it wasn't expecting, and 
probably discard it.

It is good practice to make your NSD server bind explicitly to the 
addresses that it's supposed to listen to and reply from.

Regards,
Anand

On 06/01/2023 18:41, Pim Kunis via nsd-users wrote:
> Hi,
> 
> I have a dual-stack IPv4/IPv6 server on which I run NSD. However, 
> without adding the "ip-address" option in nsd.conf, NSD does not
respond
> to IPv6 queries. It does respond to IPv4 queries. Also, it does respond 
> to requests from the same machine to ::1.
> 
> Below you can see that the NSD is indeed listening to UDP port 53 on 
> IPv6 on the wildcard address:
> 
>> root at lewis:/etc/nsd# ss -ulpn sport inet6:53
>> State???????????????? Recv-Q Send-Q Local 
>> Address:Port???????????????????????????????? Peer 
>> Address:Port??????????????? Process
>> UNCONN??????????????? 0 0 [::]:53 [::]:* users:(("nsd: server 
>> 4",pid=16052,fd=4),("nsd: server
3",pid=16051,fd=4),("nsd: server
>> 2",pid=16050,fd=4),("nsd: server
1",pid=16049,fd=4),("nsd:
>> main",pid=16048,fd=4),("nsd: xfrd",pid=16046,fd=4))
> 
> Does anybody know what could be the problem?
> 
> Kind regards,
> 
> Pim Kunis

Hi Anand,

Thank you for your reply, I understand the problem better now. I used 
Wireshark and indeed the packets were being returned from the wrong 
address. For some reason, my server is getting a second globally 
routable /128 IPv6 address in the prefix that is advertised by my 
router. Would you happen to know what could be causing this?

Curiously, if I tell NSD to use my main NIC, which has two global IPv6 
addresses as said above, it will always pick the correct one (so not the 
/128 one).

Thank you,

Pim Kunis

On 07-01-2023 10:39, Anand Buddhdev wrote:
> Hi Pim,
>
> This issue comes up quite frequently.
>
> If you don't configure NSD to bind to a specific IPv6 address, then 
> when it is constructing a DNS response packet, it doesn't set the 
> source address in it. It passes the packet to the OS, which then 
> selects a route for the packet, and sets the source address 
> appropriate for that route. If you have multiple interfaces on the 
> server, or multiple IPv6 addresses on an interface, then the OS can 
> pick the wrong one, and the client will receive a DNS reply from an 
> address it wasn't expecting, and probably discard it.
>
> It is good practice to make your NSD server bind explicitly to the 
> addresses that it's supposed to listen to and reply from.
>
> Regards,
> Anand
>
> On 06/01/2023 18:41, Pim Kunis via nsd-users wrote:
>> Hi,
>>
>> I have a dual-stack IPv4/IPv6 server on which I run NSD. However, 
>> without adding the "ip-address" option in nsd.conf, NSD does
not
>> respond to IPv6 queries. It does respond to IPv4 queries. Also, it 
>> does respond to requests from the same machine to ::1.
>>
>> Below you can see that the NSD is indeed listening to UDP port 53 on 
>> IPv6 on the wildcard address:
>>
>>> root at lewis:/etc/nsd# ss -ulpn sport inet6:53
>>> State???????????????? Recv-Q Send-Q Local 
>>> Address:Port???????????????????????????????? Peer 
>>> Address:Port??????????????? Process
>>> UNCONN??????????????? 0 0 [::]:53 [::]:* users:(("nsd: server 
>>> 4",pid=16052,fd=4),("nsd: server
3",pid=16051,fd=4),("nsd: server
>>> 2",pid=16050,fd=4),("nsd: server
1",pid=16049,fd=4),("nsd:
>>> main",pid=16048,fd=4),("nsd: xfrd",pid=16046,fd=4))
>>
>> Does anybody know what could be the problem?
>>
>> Kind regards,
>>
>> Pim Kunis

On Sat, 2023-01-07 at 10:39 +0100, Anand Buddhdev via nsd-users
wrote:
> This issue comes up quite frequently.
> 
> If you don't configure NSD to bind to a specific IPv6 address, then
when
> it is constructing a DNS response packet, it doesn't set the source 
> address in it. It passes the packet to the OS, which then selects a 
> route for the packet, and sets the source address appropriate for that 
> route. If you have multiple interfaces on the server, or multiple IPv6 
> addresses on an interface, then the OS can pick the wrong one, and the 
> client will receive a DNS reply from an address it wasn't expecting,
and
> probably discard it.
> 
> It is good practice to make your NSD server bind explicitly to the 
> addresses that it's supposed to listen to and reply from.
Alternatively, If your IP stack is static and you only have one IPv4 and
one IPv6, then you can use do-ip4 and do-ip6 and you don't need to
specify specific IP addresses in nsd.conf

server:
	do-ip4: yes
	do-ip6: yes



-Jim P.