NLnetLabs / unbound

Unbound is a validating, recursive, and caching DNS resolver.
https://nlnetlabs.nl/unbound
BSD 3-Clause "New" or "Revised" License
3.13k stars 359 forks source link

unbound returns SERVFAIL on IPv6 only host #809

Open minfrin opened 1 year ago

minfrin commented 1 year ago

Describe the bug

Resolving names on an IPv6-only host returns SERVFAIL as follows.

[root@arnie ~]# dig AAAA mirrors.rockylinux.org @::1

; <<>> DiG 9.16.23-RH <<>> AAAA mirrors.rockylinux.org @::1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20128
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;mirrors.rockylinux.org.        IN  AAAA

;; Query time: 731 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sat Dec 17 13:00:48 CET 2022
;; MSG SIZE  rcvd: 51

To reproduce Steps to reproduce the behavior:

  1. Deploy unbound to an IPv6 only host

Expected behavior

A query for mirrors.rockylinux.org succeeds.

System:

[root@arnie ~]# unbound -V Version 1.16.2

Configure line: --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --with-pythonmodule --with-pyunbound PYTHON=/usr/bin/python3 --enable-dnstap --with-libnghttp2 --with-libevent --with-pthreads --with-ssl --disable-rpath --disable-static --enable-relro-now --enable-pie --enable-subnet --enable-ipsecmod --with-conf-file=/etc/unbound/unbound.conf --with-pidfile=/run/unbound/unbound.pid --enable-sha2 --disable-gost --enable-ecdsa --with-rootkey-file=/var/lib/unbound/root.key --enable-linux-ip-local-port-range --disable-sha1 Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 3.0.1 14 Dec 2021 Linked modules: dns64 python ipsecmod subnetcache respip validator iterator

BSD licensed, see LICENSE in source package for details. Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues

Additional information

Logs show that unbound is attempting to make A requests to resolve upstream DNS, which on an IPv6 only host will fail by definition.

Dec 17 13:00:48 arnie unbound[4027]: [4027:1] info: resolving ns2.fastly.net. A IN
Dec 17 13:00:48 arnie unbound[4027]: [4027:1] info: resolving ns3.fastly.net. A IN
Dec 17 13:00:48 arnie unbound[4027]: [4027:1] info: resolving ns4.fastly.net. A IN
Dec 17 13:00:48 arnie unbound[4027]: [4027:1] info: resolving ns1.fastly.net. A IN
Dec 17 13:00:48 arnie unbound[4027]: [4027:1] info: response for ns4.fastly.net. AAAA IN

Is this a missing setting somewhere, or does unbound not support IPv6 only hosts?

istenrot commented 1 year ago

Let's verify Unbound IPv6 is enabled. Plese run this command and make sure it returns "yes": unbound-checkconf -o do-ip6

You may also want to set prefer-ip6 to yes in unbound.conf

minfrin commented 1 year ago

The problem here isn't that do-ip6 is returning yes, the problem is that do-ip4 is returning yes:

[root@seawitch ~]# unbound-checkconf -o do-ip6
yes
[root@seawitch ~]# unbound-checkconf -o do-ip4
yes

Is there a way to disable ipv4 completely?

chantra commented 1 year ago
mirrors.rockylinux.org. 300 IN  CNAME   dualstack.dl.map.rockylinux.org.
dualstack.dl.map.rockylinux.org. 300 IN CNAME   rockylinux.map.fastly.net.

You have a v6-only host which tries to resolve a name which is served by a v4-only DNS server (ns{1,2,3,4}.fastly.net). Does your v6-only host have v4 connectivity through NAT64? If not, it won't be able to reach any servers responsible for rockylinux.map.fastly.net and will hence return SERVFAIL.

If your network has NAT64, you can probably work around that using DNS64: https://nlnetlabs.nl/documentation/unbound/unbound.conf/#dns64-prefix

agowa commented 1 year ago

I ran into this error too. I've DNS64 enabled, and the host is ipv6-only. It appears that the DNS64 module generates its own lookups but doesn't convert the IPv4 address of sticky records into the NAT64 address properly.

Steps to reproduce:

Not working:

agowa commented 1 year ago

Relates to #721 and #722