unbound question AAAA

Started by TimmiORG, November 13, 2023, 03:32:03 PM

Previous topic - Next topic
Hi guys,

I'm currently trying to reduce the amount of DNS requests hitting my OPNsense (Unbound).
All my networks are IPv4 based.

The client is caching IPv4 IPs correctly but still requests IPv6 IPs for the host name.
I guess the answer from the OPNsense does not keep him happy to he is requesting the IPv6 IP again next time.
Means I'm seeing only AAAA requests from that client.

Happy to get your ideas.

Best regards and thank you
Timmi

IPv6 usually has priority over IPv4, so clients will try to reach hosts by IPv6 first, hence the AAAA request.

Hi bimbar,

the client has IPv6 disabled on the nic.
I guess the empty response from the OPNsense is preventing the local DNS cache of the client to not ask again.

You can use BIND with no-aaaa. Other than that, disabling IPv6 is not a solution to anything, it is 2023.

Quote
reduce the amount of DNS requests hitting my OPNsense

Why? What number of clients and what HW are we talking about for this to be a real problem?

Hi,

the client is Rocky Linux 8 based and using systemd-resolved for the DNS cache.
This is not about to disable IPv6 at all.

The system is resolving internal hostnames. IPv4 responses are cached normally.
The client is just asking all the time AAAA requests for the internal hostnames as I guess I'm missing a config on the OPNsense to make sure that these responses are getting cached as well.

Hope this explains it better.

The single client is currently performing around 300 DNS lookups (5min so 1/sec) for IPv6 (AAAA) where the IPv4 (A) requests have been cached.
The systems inside my network register via DHCP their host names (IPv4 only).
Maybe this is also an issue of resolved that it does not cache the response.

Just to make it clear that the single client does not matter much. But it is unnecessary load for nothing and might effect the network and responses for normal DNS requests.

Hi,

just for the record, you don't have any AAAA defined for these loookups so it's always NXDOMAIN and the SOA TTL for negative answers is sufficiently big? If yes you might want to check with your rocky linux's resolver config.


Yes, there is no AAAA entry defined for this.
I guess the problem is Unbound. Will check with the guys there.
Keep you updated.

Hi all,

I did some more research yesterday.
It looks like that the NOERROR response without answer and no SOA won't get cached by resolved.

The typetransparent flag in the unbound configuration solved my issue.

Best regards
Timmi