Pim Kunis
2023-Jan-06 17:41 UTC
[nsd-users] NSD not reachable over IPv6 without ip-address option
Hi, I have a dual-stack IPv4/IPv6 server on which I run NSD. However, without adding the "ip-address" option in nsd.conf, NSD does not respond to IPv6 queries. It does respond to IPv4 queries. Also, it does respond to requests from the same machine to ::1. Below you can see that the NSD is indeed listening to UDP port 53 on IPv6 on the wildcard address:> root at lewis:/etc/nsd# ss -ulpn sport inet6:53 > State???????????????? Recv-Q Send-Q???????????????????????????????? > Local Address:Port???????????????????????????????? Peer > Address:Port??????????????? Process > UNCONN??????????????? 0 0 [::]:53 [::]:*??????????????????? > users:(("nsd: server 4",pid=16052,fd=4),("nsd: server > 3",pid=16051,fd=4),("nsd: server 2",pid=16050,fd=4),("nsd: server > 1",pid=16049,fd=4),("nsd: main",pid=16048,fd=4),("nsd: > xfrd",pid=16046,fd=4))Does anybody know what could be the problem? Kind regards, Pim Kunis
Anand Buddhdev
2023-Jan-07 09:39 UTC
[nsd-users] NSD not reachable over IPv6 without ip-address option
Hi Pim, This issue comes up quite frequently. If you don't configure NSD to bind to a specific IPv6 address, then when it is constructing a DNS response packet, it doesn't set the source address in it. It passes the packet to the OS, which then selects a route for the packet, and sets the source address appropriate for that route. If you have multiple interfaces on the server, or multiple IPv6 addresses on an interface, then the OS can pick the wrong one, and the client will receive a DNS reply from an address it wasn't expecting, and probably discard it. It is good practice to make your NSD server bind explicitly to the addresses that it's supposed to listen to and reply from. Regards, Anand On 06/01/2023 18:41, Pim Kunis via nsd-users wrote:> Hi, > > I have a dual-stack IPv4/IPv6 server on which I run NSD. However, > without adding the "ip-address" option in nsd.conf, NSD does not respond > to IPv6 queries. It does respond to IPv4 queries. Also, it does respond > to requests from the same machine to ::1. > > Below you can see that the NSD is indeed listening to UDP port 53 on > IPv6 on the wildcard address: > >> root at lewis:/etc/nsd# ss -ulpn sport inet6:53 >> State???????????????? Recv-Q Send-Q Local >> Address:Port???????????????????????????????? Peer >> Address:Port??????????????? Process >> UNCONN??????????????? 0 0 [::]:53 [::]:* users:(("nsd: server >> 4",pid=16052,fd=4),("nsd: server 3",pid=16051,fd=4),("nsd: server >> 2",pid=16050,fd=4),("nsd: server 1",pid=16049,fd=4),("nsd: >> main",pid=16048,fd=4),("nsd: xfrd",pid=16046,fd=4)) > > Does anybody know what could be the problem? > > Kind regards, > > Pim Kunis