Can anybody verify that dnsmasq responds to IPv6 only clients

Started by IsaacFL, September 04, 2025, 05:48:44 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 04, 2025, 05:48:44 AM
I keep trying out dnsmasq with little success. I have a real domain, not .internal, and decided to try out dnsmasq in front of unbound.

Per https://docs.opnsense.org/manual/dnsmasq.html#dnsmasq-as-primary-dns-resolver

Seemed to be working, but I am mostly IPv6 network and noticed my Ubuntu servers 24.04 LTS were having dns issues. Couldn't resolve the packages etc. these are IPv6 only, no ipv4. It is almost like that dnsmasq does not respond on IPv6 only. The dual stack clients were ok.
September 04, 2025, 06:02:57 AM #1
Try with "dig" using the IPv6 address you imagine dnsmasq to listen on and verify if the Opnsense firewall blocks something.

Use "sockstat -l" on Opnsense to verify if it listens on ipv4 and ipv6 port 53.
Hardware:
DEC740
September 04, 2025, 06:52:11 PM #2
on the opnsense itself I get for sockstat -l

Code Select
unbound  unbound    99237 5   udp6   *:53                  *:*
unbound  unbound    99237 6   tcp6   *:53                  *:*
unbound  unbound    99237 7   udp4   *:53                  *:*
unbound  unbound    99237 8   tcp4   *:53                  *:*
unbound  unbound    99237 9   udp6   *:53                  *:*
unbound  unbound    99237 10  tcp6   *:53                  *:*
unbound  unbound    99237 11  udp4   *:53                  *:*
unbound  unbound    99237 12  tcp4   *:53                  *:*
unbound  unbound    99237 13  udp6   *:53                  *:*
unbound  unbound    99237 14  tcp6   *:53                  *:*
unbound  unbound    99237 15  udp4   *:53                  *:*
unbound  unbound    99237 16  tcp4   *:53                  *:*
unbound  unbound    99237 17  udp6   *:53                  *:*
unbound  unbound    99237 18  tcp6   *:53                  *:*
unbound  unbound    99237 19  udp4   *:53                  *:*
unbound  unbound    99237 20  tcp4   *:53                  *:*
unbound  unbound    99237 21  tcp4   127.0.0.1:953         *:*
nobody   dnsmasq    47107 4   udp4   *:67                  *:*
nobody   dnsmasq    47107 8   udp6   *:547                 *:*
nobody   dnsmasq    47107 10  udp4   *:53053               *:*
nobody   dnsmasq    47107 11  tcp4   *:53053               *:*
nobody   dnsmasq    47107 12  udp6   *:53053               *:*
nobody   dnsmasq    47107 13  tcp6   *:53053               *:*
September 04, 2025, 06:54:27 PM #3
Well this means unbound is your primary resolver and it is responsible right now for the ipv6 traffic on port 53.
Hardware:
DEC740
September 04, 2025, 06:59:37 PM #4
I am hiding actual domain/ipv6 addresses, but this is using my router address on vlan 30:

Code Select
root@OPNsense:~ # dig @2603:aaaa:bbbb:fb30::cccc -p 53053 bedroom.mydomain.com a

; <<>> DiG 9.20.11 <<>> @2603:aaaa:bbbb:fb30::cccc -p 53053 bedroom.mydomain.com a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2429
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
; bedroom.mydomain.com.           IN      A

;; ANSWER SECTION:
bedroom.mydomain.com.    300     IN      A       10.23.20.102

;; Query time: 0 msec
;; SERVER: 2603:aaaa:bbbb:fb30::cccc#53053(2603:aaaa:bbbb:fb30::cccc) (UDP)
;; WHEN: Thu Sep 04 09:56:31 PDT 2025
;; MSG SIZE  rcvd: 64

I get the same results using any router interface. All is good from the router itself.
September 04, 2025, 07:15:41 PM #5
Now doing the same thing but from a ubuntu 24.04 server located on vlan 20 querying the router address also vlan 20


Code Select
root@test2:~# dig @2603:aaaa:bbbb:fbizn20::cccc -p 53053 bedroom.mydomain.com a

; <<>> DiG 9.18.30-0ubuntu0.24.04.2-Ubuntu <<>> @2603:aaaa:bbbb:fb20::cccc -p 53053 bedroom.mydomain.com a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31094
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;bedroom.mydomain.com.           IN      A

;; ANSWER SECTION:
bedroom.mydomain.com.    300     IN      A       10.23.20.102

;; Query time: 0 msec
;; SERVER: 2603:aaaa:bbbb:fb20::cccc#53053(2603:8001:2a00:fb20::faf3) (UDP)
;; WHEN: Thu Sep 04 10:01:35 PDT 2025
;; MSG SIZE  rcvd: 64

So it is still all good.

However if I change to a different vlan address I get this:

Code Select
root@test2:~# dig @2603:aaaa:bbbb:fb30::cccc -p 53053 bedroom.mydomain.com a
;; communications error to 2603:aaaa:bbbb:fb30::cccc#53053: timed out
;; communications error to 2603:aaaa:bbbb:fb30::cccc#53053: timed out
;; communications error to 2603:aaaa:bbbb:fb30::cccc#53053: timed out

; <<>> DiG 9.18.30-0ubuntu0.24.04.2-Ubuntu <<>> @2603:aaaa:bbbb:fb30::cccc -p 53053 bedroom.mydomain.com a
; (1 server found)
;; global options: +cmd
;; no servers could be reached

my testing shows that basically for any interface it will respond to the router address of the interface, but communications error to any other interface router address.

I should note I do have fw rule allowing 53053 and logging. I see in logs that the firewall is passing the query.

I also get the same results on a Mac:

Code Select
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
but it works on the same interface.

September 04, 2025, 07:17:00 PM #6
Quote from: Monviech (Cedrik) on September 04, 2025, 06:54:27 PMWell this means unbound is your primary resolver and it is responsible right now for the ipv6 traffic on port 53.

yes, right now I had to switch it back to unbound so everything will still work, but I can still dig to the Dnsmasq via 53053.
September 04, 2025, 07:19:50 PM #7
I tried the same series of test using ipv4 and did not see what I am seeing with ipv6. I could query any of the ipv4 router addresses and get a good response

September 04, 2025, 07:22:39 PM #8
I dont understand, isnt it good that it only responds via the GUA of the interface of the VLAN?

If you send a dns option via RA from DNSmasq it will automatically send the correct GUA to the clients via RRDNS.

https://docs.opnsense.org/manual/dnsmasq.html#dhcpv6-and-router-advertisements

Whats the issue? Is there some kind of usecase you have that needs special configuration? Just use the above and it will just work TM.
Hardware:
DEC740
September 04, 2025, 07:30:56 PM #9
Quote from: Monviech (Cedrik) on September 04, 2025, 07:22:39 PMI dont understand, isnt it good that it only responds via the GUA of the interface of the VLAN?

If you send a dns option via RA from DNSmasq it will automatically send the correct GUA to the clients via RRDNS.

https://docs.opnsense.org/manual/dnsmasq.html#dhcpv6-and-router-advertisements

Whats the issue? Is there some kind of usecase you have that needs special configuration? Just use the above and it will just work TM.

No its not good, because proxmox overrides dns resolver of containers, and replaces it with the address that proxmox knows about which in my is on vlan10. So each container ends up using the router address of vlan10 regardless of what dhcp/RA tells it to use.

This was never issue before, because unbound works no matter which interface I point to as long as my firewall rules pass DNS to "This Firewal" vs "VLAN30 Address"
September 04, 2025, 07:32:45 PM #10
Also dnsmasq works as expected for ipv4, and proxmox does the same in ipv4 too. It's just that dnsmasq as configured acts differently with ipv6.
September 04, 2025, 07:38:10 PM #11
I don't know about why it acts differently for IPv6, you could search through the dnsmasq mailing list if anybody has the same problem.

You can also look at the dnsmasq man page if there are constraints we did not consider.

Last resort would checking the source code.

If you find anything out let me know.
Hardware:
DEC740
Print
Go Up Pages1
User actions