Hand out of IPv6 DNS server fails and leads to total cut off from internt

Started by FSeidinger, October 14, 2024, 06:18:33 PM

Previous topic - Next topic
Dear Forum,

I tried my best to describe my problem and deliver the relevant information to my best knowledge.

The problem

I have a problem concerning the hand out of an IPv6 DNS Server to my network clients. They simply get an invalid IPv6 address from OPNSense and therefore cannot resolve any DNS name leading to a cut off from the internet. Although they also get an IPv4 DNS server, they to not fall back to use it.

My environment

1. I'm using the latest OPNSense version 24.7.6 on an arm based barebone with a four core Alder Lake-N 12th Gen N100 and six ethernet ports.
2. Internet access is via PPPOE using a Draytek Vigor 165 VDSL Modem.
3. Provider gives me one static IP address and a /48 static IPv6 network.
4. Using ISC bind as DNS server in a split horizon configuration, serving 4 layer 3 networks (lan, opt1, opt2 and opt3) with configured forward and reverse zones.
5. Each network has a private IPv4 /24 network and an IPv6 /64 network.

Configuration

It's a pretty basic configuration following the official OPNSense documentation regarding IPv6 bind, DHCP and RADV.

The non standard part is to configure bind to be the only DNS server on the box by disabling unbound and set the bind listening port to :53. The reason for this decision was, that I can delegate the forward zones from unbound to bind, but the reverse zones did no work. Also the resolving of the forward zones was buggy, because in about 60% of all queries, unbound did not use the ISC bind answer but fell back on the providers DNS servers and thus gave out wrong answers leading to an unreliable DNS service.

Can you think of the cause for the described problem and help me solving it?

Kind regards
Frank

BIND will refuse recursive queries unless you explicitly create ACLs permitting them. Did you?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

Quote from: Patrick M. Hausen on October 14, 2024, 06:25:58 PM
BIND will refuse recursive queries unless you explicitly create ACLs permitting them. Did you?

No, I didn't. But this is not the problem here. If I configure a client with the fixed IP address of the OPNSense node either with its IPv4 or its IPv6 address, DNS resolving is working as expected.

And maybe my description of the problem was kinda buggy. When I said that the clients got an invalid DNS address, I meant that they configure themself to a DNS address of fec0:0:0:ffff::1%1, fec0:0:0:ffff::2%1 and fec0:0:0:ffff::3%1. This was in the past a Microsoft infrastructure to fallback if no DNS was given out by DHCPv6.

In the article below is described, that this infrastructure is long past, but my Windows clients seem to still use it, if they get no valid DNS address by DHCPv6.

QuoteThose are default IPv6 "site local anycast" addresses for DNS that Microsoft configures automatically if no other IPv6 DNS addresses are configured. They are obsolete (site local was deprecated in 2004, see Wikipedia). See also the IETF draft IPv6 Stateless DNS Discovery.

https://superuser.com/questions/638566/strange-value-in-dns-shown-in-ipconfig

So the root cause here is that DHCPv6 does not hand out a DNS server at all and the clients use some obscure fallback shutting themself of.

Then did you configure the DNS server(s) in Services > ISC DHCPv6 > LAN (or whatever you named your internal interface)?

I do not run DHCPv6 and rely on SLAAC everywhere with DNS over IPv4, only. But if you do not specify your DNS server that would explain what you are experiencing.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

Quote from: Patrick M. Hausen on October 14, 2024, 10:42:12 PM
Then did you configure the DNS server(s) in Services > ISC DHCPv6 > LAN (or whatever you named your internal interface)?

Thanks for the advise. That did the trick. I now have configured each interface it with the corresponding IPv6 address listed in the overview.