DNS Policy Issue with ipv6 Reverse DNS

Issues related to configuring your network
Post Reply
itsmike-4itsinc
Posts: 2
Joined: 2022/05/19 03:17:31

DNS Policy Issue with ipv6 Reverse DNS

Post by itsmike-4itsinc » 2022/05/19 03:37:51

I'm using bind9 on Stream 8. Reverse DNS lookups using ipv4 work without issue.
Clearly, there's a policy issue when executing reverse DNS lookups using ipv6.
I've tried changing several policies, but nothing seems to resolve the issue.

Given this is an authoritative server, I know to ignore the dig warning. Using the host
command simply results in the REFUSED result code without any warning.

The following is the query and a tcpdump of the results on the server. Anyone know
which policy in named.conf needs to be set to resolve the access policy issue? allow-query
on the server is set to "any" and v4/v6 forward queries work fine.

Thanks,
itsmike-4isinc

[user@system ~]$ dig -x 2001:xxxx:xxxx:xxxx:xxxx::5

; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> -x 2001:1890:1aa9:200::5
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 37003
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 77da3b904fc956342c78f2da6285b7b5e22388ced256fe4c (good)
;; QUESTION SECTION:
;5.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.1.0.0.2.ip6.arpa. IN PTR

;; Query time: x msec
;; SERVER: 2001:xxxx:xxxx:xxxx::5#53(2001:xxxx:xxxx:xxxx::5)
;; WHEN: Wed May 18 22:21:25 CDT 2x22
;; MSG SIZE rcvd: 129


[root@ns]# tcpdump -nnni enp7s0 -v port 53 dropped privs to tcpdump
tcpdump: listening on enp7s0, link-type EN10MB (Ethernet), capture
size 262144 bytes 22:21:25.979644 IP6 (flowlabel 0xfe95b, hlim 64,
next-header UDP (17) payload length: 121)
2001:xxxx:xxxx:xxxx::18.59747 > 2001:xxxx:xxxx:xxxx::5.53: [udp sum ok] 37003+ [1au] PTR? 5.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.2.x.x.x.x.x.x.x.x.x.1.0.0.2.ip6.arpa. (113)
22:21:25.979926 IP6 (flowlabel 0x6585d, hlim 64, next-header UDP (17) payload length: 137) 2001:xxxx:xxxx:xxxx::5.53 >
2001:xxxx:xxxx:xxxx::18.59747: [bad udp cksum 0xab2b -> 0x2345!] 37003 Refused- 0/0/1 (129)

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: DNS Policy Issue with ipv6 Reverse DNS

Post by TrevorH » 2022/05/19 11:44:28

That looks like your nameserver doesn't allow queries on ipv6 port 53. Did you allow the port through your firewall on the nameserver? Try adding -4 to your dig command to force the lookup to go over ipv4 (yes, you can query ipv6 things over ipv4).
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

itsmike-4itsinc
Posts: 2
Joined: 2022/05/19 03:17:31

Re: DNS Policy Issue with ipv6 Reverse DNS

Post by itsmike-4itsinc » 2022/05/21 15:19:46

Thanks Trevor, I truly appreciate your efforts; however tcpdump and forward queries clearly indicate that the port is open and available for reverse queries. The issue can easily be replicated by changing the allow-query parameter in named.conf. If you limit the access from external systems by using an access control list, you will get a REFUSED response from the dns server. Changing the allow-query parameter for specific servers or to "any" allows all reverse dns queries via ipv4. Many bind9 parameters have an ipv6 analog, but I've found nothing like 'allow-ip6-query' that changes the query policies on the server. I assume that there must be one, but I have not been able to find it.

Therefore, this is a server policy issue and should be solvable via a configuration parameter in named.conf. That is the policy parameter I'm looking for given tcpdump is reporting valid access to the server.

Again, thank you for your response.

itsmike

Post Reply