search

NLnetLabs / unbound

Unbound is a validating, recursive, and caching DNS resolver.
https://nlnetlabs.nl/unbound
BSD 3-Clause "New" or "Revised" License
3.1k stars 355 forks source link

Unbound is not redirecting IPV6 address #392

Closed Nottt closed 2 years ago

Nottt commented 3 years ago

I use unbound to redirect domains to a IPV4/IPV6 address.

I can query the correct AAAA record with dig, but when I use the dns server in my devices, they won't work.

I tested using dnschef, to see which records are being queried by the device, and it looks up A and AAAA records. When I use dnschef to change the response to my ipv4/ipv6 address, the device works just fine as expected. With unbound it doesn't.

So I can rule out issues with my ipv6 configuration in the server. Also the ipv6 address works fine in chrome, as expected.

my configuration is

remote-control:

    control-enable: yes

server:

# Listen in all interfaces for ipv4 and ipv6

    interface: 0.0.0.0
    interface: ::0
    access-control: 0.0.0.0/0 allow
        access-control: ::/0 allow
        do-ip4: yes
        do-ip6: yes
        do-udp: yes
        do-tcp: yes

# Optimizations (for 4 CPU server)

    num-threads: 4
    qname-minimisation: yes
    msg-cache-slabs: 4
    rrset-cache-slabs: 4
    infra-cache-slabs: 4
    key-cache-slabs: 4
    rrset-cache-size: 256m
    msg-cache-size: 128m
    so-rcvbuf: 4m
    so-sndbuf: 4m
        cache-min-ttl: 600
        cache-max-ttl: 600
        cache-max-negative-ttl: 600
        prefetch: yes
        prefetch-key: yes
#        aggressive-nsec: yes

# Security

    harden-glue: yes
    harden-dnssec-stripped: yes
    harden-referral-path: yes
    harden-large-queries: yes
    harden-short-bufsize: yes
    use-caps-for-id: yes
    hide-identity: yes
    hide-version: yes
        unwanted-reply-threshold: 10000000
    private-address: 10.0.0.0/8
    private-address: 172.16.0.0/12
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: fd00::/8
    private-address: fe80::/10
    private-address: 127.0.0.0/8
    root-hints: "/var/lib/unbound/root.hints"
    auto-trust-anchor-file: "/var/lib/unbound/root.key"

# Redirects

    local-zone: "test.domain" redirect
    local-data: "test.domain. 2562000 IN A IPV4"
    local-data: "test.domain. 2562000 IN AAAA IPV6"

My IPs are public reachable in the internet, and are not local. Version: 1.6.7-1ubuntu2.3.

For now I have to use dnschef instead of unbound, because the devices work fine with it but with unbound it gets bad IPV6 data somehow :(

gthess commented 3 years ago

Hi, I don't see what the issue is. It seems that unbound works for the both of us; asking unbound for the domain that needs to be redirected results in the configured IPv6. Tested on both the 1.6.7 and latest version here.

Maybe the issue lies with the configuration of your devices. I would be happy to help if you find what the issue is in your case. Maybe a pcap would help to see all the network traffic between your devices and unbound.

gthess commented 2 years ago

Closing this as no-issue and inactivity now; you can ping me here if you want.