Unbound not using IPv6 DNS upstream servers

thebear

Hi

I enabled logging for Unbound and I noticed that Unbound is not using the IPv6 DNS servers. Based on the logs it shows only IPv4 is addressed while there are also 2 IPv6 servers enabled.

When doing a packet capture on the WAN (PPPoE + DHCPv6) it shows up that the Unbound log is correct, none IPv6 dns request is made.

Unbound config:

DNS upstream

It might be relevant that I'm unable to get an WAN IPv6, its only receiving DHCPv6-PD prefixes for the LAN, IPv6 is working fine from the LAN. Could it be related that pfSense itself needs a WAN IPv6 address?

[23.05.1-RELEASE][admin@pfSense]/root: dig google.com @2a02:a47f:e000::53

; <<>> DiG 9.18.13 <<>> google.com @2a02:a47f:e000::53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45470
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		62	IN	A	142.251.39.110

;; Query time: 5 msec
;; SERVER: 2a02:a47f:e000::53#53(2a02:a47f:e000::53) (UDP)
;; WHEN: Fri Sep 01 22:10:33 CEST 2023
;; MSG SIZE  rcvd: 55

[23.05.1-RELEASE][admin@pfSense]/root: ping 2a02:a47f:e000::53
PING6(56=40+8+8 bytes) 2a02:a469:<cut>::1 --> 2a02:a47f:e000::53
16 bytes from 2a02:a47f:e000::53, icmp_seq=0 hlim=62 time=3.724 ms
16 bytes from 2a02:a47f:e000::53, icmp_seq=1 hlim=62 time=3.191 ms

Could anyone shine a light on this behaviour?

thebear

Might be more relevant, Unbound is only addressing IPv4 from the running process.

While doing a test from the pfSense GUI it works fine.

Gertjan

@thebear said in Unbound not using IPv6 DNS upstream servers:

PING6(56=40+8+8 bytes) 2a02:a469:dead:beaf::1 --> 2a02:a47f:e000::53

So you have a WAN IPv6 : 2a02:a469:dead:beaf::1 ?

Yo should be able to see it here :

and here :

You have checked the first box here ?

?

You could set the log level of unbound to level 3.
It's on the Services > DNS Resolver > Advanced Settings - at the bottom.
Don't forget to set it back to 1, as unbound will log "a lot", so the log file will become very big.

This :
@thebear said in Unbound not using IPv6 DNS upstream servers:

It might be relevant that I'm unable to get an WAN IPv6,

does not match with :

@thebear said in Unbound not using IPv6 DNS upstream servers:

[23.05.1-RELEASE][admin@pfSense.high.local]/root: dig google.com @2a02:a47f:e000::53

where you ask dig to use 2a02:a47f:e000::53, clearly a IPv6, to resolve "google.com" (for a A == IPv4 record)
You got the answer !
To reach 2a02:a47f:e000::53 you need to have a working IPv6 == a WAN IPv6. so IPv6 can get routed out.

@thebear said in Unbound not using IPv6 DNS upstream servers:

Could it be related that pfSense itself needs a WAN IPv6 address?

You saw my images : there are two types of IPv6 addresses : the one starting with a "2" and the one starting with a "f".
For me, the "f" one is valid locally, between my pfSense WAN and the upstream ISP router.
I've also a "2" (GUA) on my WAN.

[23.05.1-RELEASE][admin@pfSense.bhf.net]/root: dig @2001:4860:4860::8888 google.com AAAA +short
2a00:1450:4007:813::200e
[23.05.1-RELEASE][admin@pfSense.bhf.net]/root: ping 2001:4860:4860::8888
PING6(56=40+8+8 bytes) 2a01:cb19:907:a600:92ec:77ff:fe29:392a --> 2001:4860:4860::8888
16 bytes from 2001:4860:4860::8888, icmp_seq=0 hlim=116 time=18.599 ms
16 bytes from 2001:4860:4860::8888, icmp_seq=1 hlim=116 time=18.644 ms
16 bytes from 2001:4860:4860::8888, icmp_seq=2 hlim=116 time=17.437 ms
^C
--- 2001:4860:4860::8888 ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 17.437/18.227/18.644/0.559 ms

Note : 2001:4860:4860::8888 is Google's IPv6 free DNS .
I asked for the AAAA or IPv6 of google.om. The anbswer was : "sure, it's 2a00:1450:4007:813::200e"

So

Unbound not using IPv6 DNS upstream servers

Tell us more, and I'll tell you ^^
pfSense, all processes like unbound etc, out of the box, will prefer IPv6 if it is available.

johnpoz

@thebear said in Unbound not using IPv6 DNS upstream servers:

Could it be related that pfSense itself needs a WAN IPv6

Possible, if all you have on your wan is link-local.. And no GUA, it could be that unbound doesn't think it has a valid IPv6 address to use? That is just an off the cuff theory, I have never looked into it too much, I personally set unbound NOT to use IPv6.. with do-ipv6: no

Other than a curiosity, not sure why it should matter - you can clearly look up AAAA via just IPv4.. So what does it really matter what transport is used to resolve something - as long as it gets resolved.

I would be happy to do some testing of this.. But my HE tunnel gives me a gua address, I not sure I could set it not to and only use link-local?

In your unbound setup, what do you have it set to use for outbound interfaces? The default all?

thebear

@Gertjan thanks well as stated my ISP KPN (I think we live in the same country) does not provide a WAN IPv6 address, only a link-local address in the gateway overview (FE80) and over that link to the POP/Core the DHCPv6-PD prefixes are requested for my LAN interfaces. The 99:1 link is a test link, just to give pfSense a physical static IPv6 address, and it shows up that this test interface is selected for local sourced IPv6 traffic from the pfSense/FreeBSD kernel.

@johnpoz indeed no GUA so I think Unbound doesn't see this link as a valid IPv6 exit point. Which might be causing the behavior we see. I prefer to have IPv6 native, IPv4 is nice to have ;-)

I'll post my gateway screenshot when having access to the box tonight.

johnpoz

@thebear said in Unbound not using IPv6 DNS upstream servers:

I prefer to have IPv6 native

Sure yeah that would be better than HE tunnel sure in the big picture.. I wasn't suggesting you move to tunnel vs native.. But to be honest, other than play I have found zero reason to actually have IPv6.. Yeah its the future and all, and yeah my phone with 8 other billion phones on the planet needs IPv6.

My isp doesn't provide it, I have zero actual need for IPv6.. Can you name even just 1 resource you would not be able to access if you didn't have IPv6? I have been asking for years and years and have yet to have 1 person name even 1 thing that actually required IPv6 to access..

thebear

@johnpoz Indeed no need for IPv6 and thats why there might be more chance a bug is in place, les testers ;-)

The box is able to ping to ipv6.google.com showed from the first post's selecting a random LAN port where DHCPv6-PD has assigned an address too.

Gateway indeed only showing a link-local address. No IPv6 address on the WAN side.

Changed to:

After the change of the outgoing interface to ALL it seems to started working. Thanks @johnpoz appreciated your tip.

Gertjan

@thebear said in Unbound not using IPv6 DNS upstream servers:

ISP KPN (I think we live in the same country)

No KPN where I live.
I moved in the eighties to France.
Its called Orange here.

I've edited my post to put in some beef.