ISP only hands out IPv4 Issue

JonathanLee

@RobbieTT
I found this it is already set,

Enable IPv6, "yes" or "no".
# do-ip6: yes

Screenshot 2023-06-22 at 9.43.38 AM.png

   "*do-ip6: <yes or no>
          Enable  or  disable  whether ip6 queries are answered or issued.
          Default is yes.  If disabled, queries are not answered on  IPv6,
          and  queries  are  not sent on IPv6 to the internet nameservers.
          With this option you can disable the IPv6 transport for  sending
          DNS traffic, it does not impact the contents of the DNS traffic,
          which may have ip4 and ip6 addresses in it.

   prefer-ip4: <yes or no>
          If enabled, prefer IPv4 transport for sending DNS queries to in-
          ternet  nameservers. Default is no.  Useful if the IPv6 netblock
          the server has, the entire /64 of that is not owned by one oper-
          ator  and  the reputation of the netblock /64 is an issue, using
          IPv4 then uses the IPv4 filters that the upstream servers have.

   prefer-ip6: <yes or no>
          If enabled, prefer IPv6 transport for sending DNS queries to in-
          ternet nameservers. Default is no*."

ref:
https://nlnetlabs.nl/documentation/unbound/unbound.conf/

JonathanLee

@JonathanLee

Testing this...

prefer-ip4:yes
prefer-ip6:no

I can't enter it into custom options I manually added it to /var/unbound/unbound.conf

I wish my ISP had IPv6 ready for me.

Screenshot 2023-06-22 at 10.10.22 AM.png

If I resave the DNS settings it auto deletes this custom option I can't add it into the GUI it says syntax error

JonathanLee

@JonathanLee

Screenshot 2023-06-22 at 10.14.40 AM.png

JonathanLee

@JonathanLee did not work :( deleted my config change

JonathanLee

@RobbieTT said in ISP only hands out IPv4 Issue:

serve A records

If you find anything please yet me know

JonathanLee

I found the custom entry solution the syntax must include server: first similar to the logs options

Ref:
https://docs.netgate.com/pfsense/en/latest/troubleshooting/dns-queries.html

for log-queries you have to add server: first it enables the custom options its like a keyword.

Screenshot 2023-06-22 at 10.35.17 AM.png

After it holds the settings

Screenshot 2023-06-22 at 10.38.24 AM.png

RobbieTT

@JonathanLee I'd presume that the config file is read at launch and then becomes read-only when running.

️

JonathanLee

@RobbieTT I got it I had to use the custom area, I needed to add server: first to let me add anymore lines after. Just like when you enable logging

server:
log-queries: yes

Same needs server: first

so for me
server:
prefer-ip6: no
prefer-ip4: yes

Ref:
https://docs.netgate.com/pfsense/en/latest/troubleshooting/dns-queries.html

https://nlnetlabs.nl/documentation/unbound/unbound.conf/

JonathanLee

I have also set dns resolver type to "type transport"

        typetransparent
             If there is a match from local data, the query  is  answered.
             If  the  query  is for a different name, or for the same name
             but for a different type, the  query  is  resolved  normally.
             So,  similar  to transparent but types that are not listed in
             local data are resolved normally, so if an A record is in the
             local  data  that  does  not  cause  a  nodata reply for AAAA
             queries.

Ref:
https://nlnetlabs.nl/documentation/unbound/unbound.conf/

JonathanLee

@JonathanLee

Seems to work now!!!!!

" dns64-ignore-aaaa: <domain name>
List domain for which the AAAA records are ignored and the A record is used by DNS64 processing instead. Can be entered multiple times, list a new domain for which it applies, one per line. Applies also to names underneath the name given."

Screenshot 2023-06-22 at 3.32.00 PM.png
(researching AAAA block)

ref:
https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html

smolka_J

So far I have found the following to work best on my boxes to remove IPv6 as much as possible resulting in better stability of Unbound no longer crashing or hanging unresponsive at random or when forced performing IPv6 nslookups:

Unbound Custom options to remove all local and external domain AAAA responses in replies given to clients:

server:
do-ip4: yes
do-ip6: no
prefer-ip4: yes
prefer-ip6: no
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: ::ffff:0:0/96
private-address: fd00::/8
private-address: fe80::/10
private-address: ::/0
private-address: ::
local-zone: localhost.home.arpa transparent
local-data: "localhost.home.arpa A 127.0.0.1"
local-zone: localhost transparent
local-data: "localhost A 127.0.0.1"
local-zone: ip6.arpa redirect
local-data: "ip6.arpa A 0.0.0.0"
local-zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa redirect
local-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa A 0.0.0.0"
local-zone: "::/0" static
dns64-ignore-aaaa: *.*
do-not-query-address: ::
do-not-query-address: ::1
do-not-query-address: ::/0

Shellcmd's added to Shellcmd package to load at boot to unload any auto created/started inet6 interfaces, add or relabel for any other interface names that show when running command prompt/console command ifconfig

ifconfig lo0 inet6 ifdisabled
ifconfig igb0 inet6 ifdisabled
ifconfig igb1 inet6 ifdisabled
ifconfig ix0 inet6 ifdisabled
ifconfig lo0 inet6 fe80::1%lo0 delete
ifconfig lo0 inet6 ::1 delete

These last two are system files, these adjustments here aren't saved in config.xml files so if until there is a patch or tick box added, they would need re-applied each system upgrade but do maintain general reboots -
edit /etc/inc/system.incsearch for 'localhost' around line 331 and comment out - ::1 IPv6 section of lines with /* at beginning, a * for each next line and */ at the end:

/*
* $hosts[] = array(
* 'ipaddr' => '::1',
* 'fqdn' => 'localhost.' . $syscfg['domain'],
* 'name' => 'localhost',
* 'domain' => $syscfg['domain']
* );
*/

edit /etc/hosts.allow comment out line adding a #:

#ALL : [::1] : allow