Unbound and IPv6 on multiple interfaces

[LOTRouter]

I've noticed since upgrading to 23.7.6 that I would randomly lose Internet access.  It could have started earlier, but I've just noticed it in the last week or so.  After a boat load of troubleshooting, I seem to have narrowed it down to Unbound and IPv6 on multiple interfaces not working nicely together.  So, I'm getting IPv6 prefixes delegated to me by my ISP and using track-interface to assign the prefixes to each interface.  If I only assign/track IPv6 to one interface, I see no issues.  As soon as I assign/track IPv6 on additional interfaces then I can no longer do DNS queries to the IPv6 address on each respective subnet on the OPNsense router.  However, DNS queries to the IPv4 address continue to work fine.  For now I've disabled IPv6 on all but my primary LAN interface and it seems to be working,  It seems something was introduced recently in the code that started causing this problem as I haven't changed any configs in some time.

[Monviech (Cedrik)]

I don't know what has changed, but I have a question:

Are you sending queries to the IPv6 Link-Local addresses? Because those won't change and you can send your DNS queries in each subnet to their equivalent link local address of the OPNsense interface in that network. (It's the same address the OPNsense sends as Default Gateway for IPv6)

[LOTRouter]

I'm sending the query to watever is being sent by OPNsense, not sure how my devices get IPv6 DNS servers using SLAAC, but it's not the Link-local IPv6 Address.  In my testing I did try to check the box in the Interface settings:  "Allow manual adjustment of DHCPv6 and Router Advertisements," and enabled DHCPv6 on my LAN interface and it assigned the same IPv6 address for DNS and then Unbound failed to respond over IPv6 on that address even if I only had IPv6 configured on the one interface.

[Monviech (Cedrik)]

Can you try the following:
(Thats what I use and I have track interface over a PPPoE DSL line with IPv6)

- Check "Interfaces: Overview : LAN" and note the "IPv6 link-local" address. It starts with fe80::
- Set the Route Advertisements on LAN to "manual"
- Go to "Services: Router Advertisements: LAN"
- Set "Router Advertisements" to "Stateless"
- Source Address "Automatic"
- Check Advertise Default Gateway
- DNS servers - Put the link local ipv6 address of the LAN interface there.
- In "Firewall: Rules: LAN" you also have to put a Firewall rule that allows DNS (UDP Port 53) to "This Firewall"

Repeat for all additional interfaces that you have (they all need their own link local address because unlike a global unicast address, it's a non routable address.)

With this configuration I have no name resolution problems and I'm also on the latest version.

[LOTRouter]

What plug-in are you using to get SERVICES: ROUTER-ADVERTISEMENTS:?  I don't have that on my router.

[Monviech (Cedrik)]

You get that option as soon as you check "Interfaces: LAN" - "Manual configuration - Allow manual adjustment of DHCPv6 and Router Advertisements" and save.

Its the last option in "Track IPv6 Interface".

[newsense]

Technically you can do a port forwarding on all interfaces in scope for IPv6 and redirect any tcp/udp 53 to Unbound, so even if you set the same IPv6 address for DNS everywhere it won't really matter as it's being intercepted anyway

[Monviech (Cedrik)]

That suggestion is for GUA and ULA, but I recommend using the link local IPv6 address. They only exist in the scope of a link. If a client in a different subnet tries to reach that link local address, the traffic won't even reach the Opnsense. The client would send an NDP Neighbor Solicitation broadcast and nobody would answer.

[LOTRouter]

You get that option as soon as you check "Interfaces: LAN" - "Manual configuration - Allow manual adjustment of DHCPv6 and Router Advertisements" and save.

Its the last option in "Track IPv6 Interface".

Thanks for the clarification.  I've set up all three LAN interfaces with their respective link-local addresses for DNS.  So far it appears to be working.  I'll follow up if I see any issues.

It seems odd that this isn't the default IPv6 DNS server advertised without changing to manual configuration.  It used to work fine with defaults, but hopefully this resolves the issue.

[Maurice]

Did you set the Unbound network interfaces to "All (recommended)"? Binding services to specific interfaces with dynamic addresses is discouraged.

Advertising LAN interface link-local addresses as DNS servers is a viable alternative. But you have to remember to change the RA / DHCPv6 settings when you change the interface assignments or replace a NIC.

My preferred configuration is an additional loopback interface which Unbound binds to. It has a ULA which is advertised as the DNS server address in all LANs.

Cheers
Maurice

[LOTRouter]

Did you set the Unbound network interfaces to "All (recommended)"? Binding services to specific interfaces with dynamic addresses is discouraged.

Advertising LAN interface link-local addresses as DNS servers is a viable alternative. But you have to remember to change the RA / DHCPv6 settings when you change the interface assignments or replace a NIC.

My preferred configuration is an additional loopback interface which Unbound binds to. It has a ULA which is advertised as the DNS server address in all LANs.

Cheers
Maurice

Yes, I left the default at "All (recommended)"

I'm curious about your loopback idea as it seems like a much better solution, what settings did you use for that Interface?

[LOTRouter]

I went ahead and created a loopback for IPv6 DNS and assigned it:

fd00::1

I made sure my firewall rules allow DNS to this interface and then changed all the SERVICES: ROUTER ADVERTISEMENTS: [LAN] DNS entries to use this IP address, and it appears to be working.

Anything you would do differently?

[Maurice]

Yes, I left the default at "All (recommended)"

Then this might be worth looking into. If you can reproduce it, consider opening an issue on GitHub.

I'm curious about your loopback idea as it seems like a much better solution, what settings did you use for that Interface?

Interfaces: Other Types: Loopback, add an interface.
Assign the interface, set it to static IPv6, enter a ULA (/128).

[edit] The only thing I would do differently is using a proper ULA (random 40 bit global ID). [/edit]

[franco]

# configctl unbound check

Output would be good ;)


Cheers,
Franco

[LOTRouter]

I'm more than willing to include any output requested, but I *think* I may have narrowed it down.  I have three "LAN" interfaces, I'll call [HOME], [GUEST], and [IOT].  I've grouped these three interfaces into one group called "LAN" and pretty much all my firewall rules for the three interfaces are managed in that single group, including allowing DNS to "This firewall".

Second, I have NAT snagging all TCP/UDP with destination port 53 being redirected to loopback (127.0.0.1 for IPv4 and ::1 for IPv6 - two different NAT rules).

After adding the internal Loopback interface to the LAN group (and removing all other changes, reverting back to how it was originally borked), things started to work again.

I can only speculate, but maybe the IPv6 NAT makes the request look like it is coming in on the Loopback interface, and that interface needs the allow rule for IPv6 based DNS traffic.  I've not seen this problem before, so it seems a recent change may have caused it, but it appears to be a firewall issue and not an Unbound issue.  Also, without the Loopback being added to the "LAN" group DNS queries to The IPv4 address always work, so it's specific to IPv6.

admin@RedactedOPNsense:~ % configctl unbound check
no errors in /var/unbound/unbound.conf