DNS Policy Issue with ipv6 Reverse DNS
Posted: 2022/05/19 03:37:51
I'm using bind9 on Stream 8. Reverse DNS lookups using ipv4 work without issue.
Clearly, there's a policy issue when executing reverse DNS lookups using ipv6.
I've tried changing several policies, but nothing seems to resolve the issue.
Given this is an authoritative server, I know to ignore the dig warning. Using the host
command simply results in the REFUSED result code without any warning.
The following is the query and a tcpdump of the results on the server. Anyone know
which policy in named.conf needs to be set to resolve the access policy issue? allow-query
on the server is set to "any" and v4/v6 forward queries work fine.
Thanks,
itsmike-4isinc
[user@system ~]$ dig -x 2001:xxxx:xxxx:xxxx:xxxx::5
; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> -x 20011aa9:200::5
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 37003
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 77da3b904fc956342c78f2da6285b7b5e22388ced256fe4c (good)
;; QUESTION SECTION:
;5.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.1.0.0.2.ip6.arpa. IN PTR
;; Query time: x msec
;; SERVER: 2001:xxxx:xxxx:xxxx::5#53(2001:xxxx:xxxx:xxxx::5)
;; WHEN: Wed May 18 22:21:25 CDT 2x22
;; MSG SIZE rcvd: 129
[root@ns]# tcpdump -nnni enp7s0 -v port 53 dropped privs to tcpdump
tcpdump: listening on enp7s0, link-type EN10MB (Ethernet), capture
size 262144 bytes 22:21:25.979644 IP6 (flowlabel 0xfe95b, hlim 64,
next-header UDP (17) payload length: 121)
2001:xxxx:xxxx:xxxx::18.59747 > 2001:xxxx:xxxx:xxxx::5.53: [udp sum ok] 37003+ [1au] PTR? 5.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.2.x.x.x.x.x.x.x.x.x.1.0.0.2.ip6.arpa. (113)
22:21:25.979926 IP6 (flowlabel 0x6585d, hlim 64, next-header UDP (17) payload length: 137) 2001:xxxx:xxxx:xxxx::5.53 >
2001:xxxx:xxxx:xxxx::18.59747: [bad udp cksum 0xab2b -> 0x2345!] 37003 Refused- 0/0/1 (129)
Clearly, there's a policy issue when executing reverse DNS lookups using ipv6.
I've tried changing several policies, but nothing seems to resolve the issue.
Given this is an authoritative server, I know to ignore the dig warning. Using the host
command simply results in the REFUSED result code without any warning.
The following is the query and a tcpdump of the results on the server. Anyone know
which policy in named.conf needs to be set to resolve the access policy issue? allow-query
on the server is set to "any" and v4/v6 forward queries work fine.
Thanks,
itsmike-4isinc
[user@system ~]$ dig -x 2001:xxxx:xxxx:xxxx:xxxx::5
; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> -x 20011aa9:200::5
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 37003
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 77da3b904fc956342c78f2da6285b7b5e22388ced256fe4c (good)
;; QUESTION SECTION:
;5.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.1.0.0.2.ip6.arpa. IN PTR
;; Query time: x msec
;; SERVER: 2001:xxxx:xxxx:xxxx::5#53(2001:xxxx:xxxx:xxxx::5)
;; WHEN: Wed May 18 22:21:25 CDT 2x22
;; MSG SIZE rcvd: 129
[root@ns]# tcpdump -nnni enp7s0 -v port 53 dropped privs to tcpdump
tcpdump: listening on enp7s0, link-type EN10MB (Ethernet), capture
size 262144 bytes 22:21:25.979644 IP6 (flowlabel 0xfe95b, hlim 64,
next-header UDP (17) payload length: 121)
2001:xxxx:xxxx:xxxx::18.59747 > 2001:xxxx:xxxx:xxxx::5.53: [udp sum ok] 37003+ [1au] PTR? 5.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.2.x.x.x.x.x.x.x.x.x.1.0.0.2.ip6.arpa. (113)
22:21:25.979926 IP6 (flowlabel 0x6585d, hlim 64, next-header UDP (17) payload length: 137) 2001:xxxx:xxxx:xxxx::5.53 >
2001:xxxx:xxxx:xxxx::18.59747: [bad udp cksum 0xab2b -> 0x2345!] 37003 Refused- 0/0/1 (129)