Cannot resolve DNS query using IPv6 address for unbound server? (IPv4 address works fine)

[johntdavis84]

Hello!

So this is kind of strange. I've got an unbound instance running inside a docker container, and I've set it up to enable and prefer IPv6. I've verified the container has IPv6 addresses and is pingable.

Testing using dig is showing that the IPv4 address works fine, but the IPv6 address throws a WARNING: recursion requested but not available message and fails.

I have a vague, googled-for-five-minutes understanding that using recursion with IPv6 addresses needs more levels of recursion, but I'm not really sure what that means or how to fix it in unbound.conf.

Any ideas?

Some logs:

❯ dig google.com @127.0.0.1 -p 5053

; <<>> DiG 9.16.12 <<>> google.com @127.0.0.1 -p 5053 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39332 ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;google.com. IN A

;; ANSWER SECTION: google.com. 300 IN A 142.250.114.138 google.com. 300 IN A 142.250.114.101 google.com. 300 IN A 142.250.114.100 google.com. 300 IN A 142.250.114.102 google.com. 300 IN A 142.250.114.139 google.com. 300 IN A 142.250.114.113

;; Query time: 71 msec ;; SERVER: 127.0.0.1#5053(127.0.0.1) ;; WHEN: Thu Mar 18 14:06:02 CDT 2021 ;; MSG SIZE rcvd: 135

❯ dig google.com @$HOST_IPV6_ADDR -p 5053

; <<>> DiG 9.16.12 <<>> google.com @$HOST_IPV6_ADDR -p 5053 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 57211 ;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available

;; Query time: 0 msec ;; SERVER: $HOST_IPV6_ADDR#5053($HOST_IPV6_ADDR) ;; WHEN: Thu Mar 18 14:04:32 CDT 2021 ;; MSG SIZE rcvd: 12

[MatthewVance]

IPv6 with Docker is not something I've spent much time with. Most of my use with Unbound is with a containerized version. It's my long way of saying I don't know and won't be of much help with this one.

If your config is based off of the default one provided with this image, be sure to check the security setting section. Specifically, make sure the access-control and private-address settings are configured to allow IPv6.

The above would be in addition to making sure the interface setting and any other Unbound config settings (e.g., do-ip6) that could impact IPv6 are also set correctly.

[johntdavis84]

IPv6 with Docker is not something I've spent much time with. Most of my use with Unbound is with a containerized version. It's my long way of saying I don't know and won't be of much help with this one.

If your config is based off of the default one provided with this image, be sure to check the security setting section. Specifically, make sure the access-control and private-address settings are configured to allow IPv6.

The above would be in addition to making sure the interface setting and any other Unbound config settings (e.g., do-ip6) that could impact IPv6 are also set correctly.

Thanks for your reply. :)

Here are the relevant parts of my config:

Listen to for queries from clients and answer from this network interface

# and port.
interface: 0.0.0.0@53
interface: ::0@53
do-ip4: yes
do-udp: yes
do-tcp: yes                    # Added @ 2021 03 18: pull if not working
do-ip6: yes                    # Added @ 2021 03 18: pull if not working
# prefer-ip6: yes                 # Added @ 2021 03 18: pull if not working

access-control: 127.0.0.1/32 allow
# access-control: 192.168.0.0/16 allow
access-control: 172.18.0.0/16 allow
access-control: 10.0.0.0/8 allow
access-control: fc00::/7 allow
access-control: ::1/128 allow
access-control: $DOCKER_IPv6_UNBOUND_NETWORK allow

# This  protects  against DNS  Rebinding
private-address: 10.0.0.0/8
private-address: 172.18.0.0/16
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10
private-address: ::ffff:0:0/96
private-address: $DOCKER_IPv6_UNBOUND_NETWORK allow

Honestly, I'm not even sure I need IPv6. The IPv4 port is working fine, and can resolve AAAA records on request (see below). I convinced myself I needed to be able to connect directly to the IPv6 address of the unbound DNS server with Pi-Hole in order for Pi-Hole to correctly block ads using domains that resolve to IPv6 addresses, but that might not be the case?

I'm going to leave it set up this way and see how the ad blocker performs. I'll admit I'd very much like to know why I'm getting a recursion error when I dig the unbound server's IPv6 address, but assuming I don't need to connect to that address for Pi-Hole to work correctly, that's just me not liking errors I can't trace.

❯ dig -p 5053 @10.0.4.130 google.com AAAA

; <<>> DiG 9.16.12 <<>> -p 5053 @10.0.4.130 google.com AAAA ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22184 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;google.com. IN AAAA

;; ANSWER SECTION: google.com. 300 IN AAAA 2607:f8b0:4023:1002::8b google.com. 300 IN AAAA 2607:f8b0:4023:1002::71 google.com. 300 IN AAAA 2607:f8b0:4023:1002::64 google.com. 300 IN AAAA 2607:f8b0:4023:1002::66

;; Query time: 39 msec ;; SERVER: 10.0.4.130#5053(10.0.4.130) ;; WHEN: Fri Mar 19 11:01:50 CDT 2021 ;; MSG SIZE rcvd: 151

[johntdavis84]

Hello, again!

I think the problem here was me not understanding DNS or DIG completely.

See: https://linuxaria.com/article/how-to-query-a-dns-server-from-linux-with-dig-by-examples

It is possible to force a query over IPv6 transport. XXX.XXX.XXX.XXX is the IPv4 address of my unbound DNS server. the -6 flag forces IPv6 transport, and it just ... tacks some nonce bits onto the IPv4 address and treats it like an IPv6 address? That part confuses me. Entirely.

I'm still not sure how to get it to talk directly to the DNS server at its IPv6 address. Not that that's necessary, in the end, but at this point I'm just curious how to do it/if it can be done. I'm not entirely sure dig understands what to do if given an IPv6 server address as an argument.

❯ dig -6 -p 5053 @XXX.XXX.XXX.XXX google.com AAAA

; <<>> DiG 9.16.18 <<>> -6 -p 5053 @XXX.XXX.XXX.XXX google.com AAAA ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29078 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;google.com. IN AAAA

;; ANSWER SECTION: google.com. 30 IN AAAA 2607:f8b0:4000:80a::200e

;; Query time: 0 msec ;; SERVER: ::ffff:XXX.XXX.XXX.XXX#5053(::ffff:XXX.XXX.XXX.XXX) ;; WHEN: Wed Jul 28 19:49:34 CDT 2021 ;; MSG SIZE rcvd: 67

This is the first time I've poked at this since March, and it's not really a problem, so I'm happy with marking this as closed. At this point it's more a curiosity than a problem. ;)

[MatthewVance]

Please go ahead and close this issue. This is not an issue with this Docker image's functionality.

You should also use dig with a public IPv6 website (ipv6.google.com) and IPv6 DNS server (2606:4700:4700::1111) to rule out local issues. Don't forget to tell Dig to return AAAA. For instance you should be running something likedig AAAA -6 @2606:4700:4700::1111 ipv6.google.com.

If it is a local issue, I recommend re-checking that you've properly enabled and configured IPv6 in the Docker daemon, the Docker container, and also the unbound.conf.

[MatthewVance]

Re-reading your issue, you're most of the way there. You ran dig -6 -p 5053 @XXX.XXX.XXX.XXX google.com AAAA. To get dig to talk directly to the DNS server at its IPv6 address, you should only need to provide the IPv6 address after the @.

[MatthewVance]

If anything further is needed to help answer the questions, let me know. Thanks!

[churchofnoise]

@johntdavis84 did you ever get this sorted? Running into a similar situation on my end, and having looked into loads of possible fixes, nothing has worked. It seems to be rooted in Unbound refusing DNS queries on its IPv6 address.

I'm running a Docker container with Pi-Hole and Unbound, and Pi-Hole does accept DNS queries on its IP6 address. Pointing Pi-Hole's DNS server to Unbound's IPv6 address stops resolution working, so I am quite certain the issue lies with Unbound accepting the DNS queries on its IPv6 address in Docker (for reference: I used to run Pi-Hole and Unbound baremetal on RPI devices and there, the issue never arose so it should be some config that needs finetuning imho)