I'm using bind9 on Stream 8. Reverse DNS lookups using ipv4 work without issue.
Clearly, there's a policy issue when executing reverse DNS lookups using ipv6.
I've tried changing several policies, but nothing seems to resolve the issue.
Given this is an authoritative server, I know to ignore the dig warning. Using the host
command simply results in the REFUSED result code without any warning.
The following is the query and a tcpdump of the results on the server. Anyone know
which policy in named.conf needs to be set to resolve the access policy issue? allow-query
on the server is set to "any" and v4/v6 forward queries work fine.
Thanks,
itsmike-4isinc
[user@system ~]$ dig -x 2001:xxxx:xxxx:xxxx:xxxx::5
; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> -x 20011aa9:200::5
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 37003
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 77da3b904fc956342c78f2da6285b7b5e22388ced256fe4c (good)
;; QUESTION SECTION:
;5.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.1.0.0.2.ip6.arpa. IN PTR
;; Query time: x msec
;; SERVER: 2001:xxxx:xxxx:xxxx::5#53(2001:xxxx:xxxx:xxxx::5)
;; WHEN: Wed May 18 22:21:25 CDT 2x22
;; MSG SIZE rcvd: 129
[root@ns]# tcpdump -nnni enp7s0 -v port 53 dropped privs to tcpdump
tcpdump: listening on enp7s0, link-type EN10MB (Ethernet), capture
size 262144 bytes 22:21:25.979644 IP6 (flowlabel 0xfe95b, hlim 64,
next-header UDP (17) payload length: 121)
2001:xxxx:xxxx:xxxx::18.59747 > 2001:xxxx:xxxx:xxxx::5.53: [udp sum ok] 37003+ [1au] PTR? 5.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.2.x.x.x.x.x.x.x.x.x.1.0.0.2.ip6.arpa. (113)
22:21:25.979926 IP6 (flowlabel 0x6585d, hlim 64, next-header UDP (17) payload length: 137) 2001:xxxx:xxxx:xxxx::5.53 >
2001:xxxx:xxxx:xxxx::18.59747: [bad udp cksum 0xab2b -> 0x2345!] 37003 Refused- 0/0/1 (129)
DNS Policy Issue with ipv6 Reverse DNS
Re: DNS Policy Issue with ipv6 Reverse DNS
That looks like your nameserver doesn't allow queries on ipv6 port 53. Did you allow the port through your firewall on the nameserver? Try adding -4 to your dig command to force the lookup to go over ipv4 (yes, you can query ipv6 things over ipv4).
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 2
- Joined: 2022/05/19 03:17:31
Re: DNS Policy Issue with ipv6 Reverse DNS
Thanks Trevor, I truly appreciate your efforts; however tcpdump and forward queries clearly indicate that the port is open and available for reverse queries. The issue can easily be replicated by changing the allow-query parameter in named.conf. If you limit the access from external systems by using an access control list, you will get a REFUSED response from the dns server. Changing the allow-query parameter for specific servers or to "any" allows all reverse dns queries via ipv4. Many bind9 parameters have an ipv6 analog, but I've found nothing like 'allow-ip6-query' that changes the query policies on the server. I assume that there must be one, but I have not been able to find it.
Therefore, this is a server policy issue and should be solvable via a configuration parameter in named.conf. That is the policy parameter I'm looking for given tcpdump is reporting valid access to the server.
Again, thank you for your response.
itsmike
Therefore, this is a server policy issue and should be solvable via a configuration parameter in named.conf. That is the policy parameter I'm looking for given tcpdump is reporting valid access to the server.
Again, thank you for your response.
itsmike