Local (loopback) IPv6 DNS timeouts / no response (24.03)

johnpoz

@Gertjan But if you have do-ipv6: set to no ?

johnpoz

@conover said in Local (loopback) IPv6 DNS timeouts / no response (24.03):

It makes no difference for me whether it is set to "yes" or "no"

well you got something else going on then as well - because if remove my do-ipv6: no then I don't see the problem.

But I don't want unbound using ipv6 at all ;) So then yeah I get this

conover

@johnpoz said in Local (loopback) IPv6 DNS timeouts / no response (24.03):

@conover said in Local (loopback) IPv6 DNS timeouts / no response (24.03):

It makes no difference for me whether it is set to "yes" or "no"

well you got something else going on then as well - because if remove my do-ipv6: no then I don't see the problem.

Yes, I have the same suspicion, but don't no where to start. Went straight thru the revisions (standard install at the beginning) and did not mess with IPv6 oder DNS configs (I guess :-) )

johnpoz

@conover well first step is to actually validate unbound is listening on ::1 and could also look in your unbound conf does it list in your ::1 interface?

So for example - first is when my do-ipv6 no set, 2nd one is once I remove it.. maybe your change in ipv6 no is not taking, maybe unbound is not restarting?

For me first step in troubleshooting if I can not talk to specific IP and port, be it remote or local would be to validate what I am trying to talk to is actually listening on that IP and port, etc.

But to be honest if your not a ipv6 user anyway - why not just the simple work around I posted by setting 127.0.0.1 and changing it to use remote only - which isn't the case since your listed dns is local, ie loopback.. But that will stop it from even trying to query ::1

That is my current setting now - I personally don't use the diag dns web gui all that much since I just do a dig or whatever I need via cli.. But I do use it now and then when helping someone in a thread and a screenshot makes sense and they not really a cli user.

MoonKnight

Just copied my post from another topic :)
I have disable all IPv6 on my system, and also added

Have been running like this for a long time. Until I notice when i do a "DNS Lookup"
It takes almost 20 seconds to you get any answer.?

As you can see the Name server that not respond is ::1 (IPv6 localhost)

So when i change this to YES.

And do another DNS Lookup its answer right away.

And now ::1 responds also
I don't know if this is an bug or not. But it is quite annoying when you have to wait almost 20 seconds for every DNS lookup. :)

MoonKnight

@johnpoz said in Local (loopback) IPv6 DNS timeouts / no response (24.03):

That is my current setting now - I personally don't use the diag dns web gui all that much since I just do a dig or whatever I need via cli.. But I do use it now and then when helping someone in a thread and a screenshot makes sense and they not really a cli user.

hehe, I am an GUI user, one of many :D The reason of why i was complaining about DNS Lookup via GUI was because it took almost 20 second before you got any answer :)

johnpoz

@MoonKnight said in Local (loopback) IPv6 DNS timeouts / no response (24.03):

It takes almost 20 seconds to you get any answer.?

it only takes 20 seconds to get an answer because ::1 isn't responding - no client will ever ask that IP address, the only thing that is an issue is the web gui... Is pfsense when it does its own looks even asking that IP? I doubt it.. But you could for sure enable logging in unbound to see, if unbound is actually listening on ::1 But if you have ipv6 disabled and the gui tries to talk to ::1 yeah its going to time out..

If unbound is not listening on ::1 then yeah its always going to time out

If you don't like the delay in the gui, either let it do IPv6 or do the simple work around I posted where you just put in an entry for loopback 127.0.0.1 and tell pfsense to only use remote.. Which is anything you have listed in the dns servers boxes in general. Which in this case is just the loopback.. No more timeout to ::1

if your having issues with actual client delays in queries - it sure isn't related to this.. ::1 is the ipv6 version of 127.0.0.1 - clients out on your network asking unbound for dns are sure not going to be able to query that address.

Be it the gui or pfsense actually looking for something itself, my setting will remove that issue because pfsense will never ask ::1 for sure.

MoonKnight

@johnpoz

You are right. But in this case i have disable all IPv6 in pfsene, and I don't understand why pfSense still use ::1 when you are doing a DNS Lookup?

I believe this must be an bug. I fixed this issue by change do-ip6: no to do-ip6: yes in the unbound. But still, ::1 shouldn't be active when all IPv6 is disable :)

johnpoz

@MoonKnight said in Local (loopback) IPv6 DNS timeouts / no response (24.03):

still use ::1 when you are doing a DNS Lookup?

Here is the thing, even if you disable IPv6 - the interface still has a link local address.. So sure it could still talk to ::1 from its link local - it doesn't need a gua etc..

conover

@MoonKnight said in Local (loopback) IPv6 DNS timeouts / no response (24.03):

So when i change this to YES.

Interessting, works also for me. Didn't try that since the doc says "yes" is the default....

johnpoz

@conover yes is the default, you can see it in the conf

if you look in the conf right at the top

[24.03-RELEASE][admin@sg4860.home.arpa]/var/unbound: cat unbound.conf
##########################
# Unbound Configuration
##########################

##
# Server configuration
##
server:
local-zone: "0.168.192.in-addr.arpa" typetransparent

chroot: /var/unbound
username: "unbound"
directory: "/var/unbound"
pidfile: "/var/run/unbound.pid"
use-syslog: yes
port: 53
verbosity: 2
hide-identity: no
hide-version: no
harden-glue: yes
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes

If you set no in the options box it will be lower in the conf

# Unbound custom options
server:
do-ip6: no
ede: yes