Alias tables don't contain IPv6 addresses anymore
-
Hi guys,
Just discovered recently that when creating a firewall alias with hostnames the table that gets created only contains IPv4 addresses for those hostnames and no IPv6 addresses, even though those hostnames definitely have AAAA records.
I know this used to be the case as I had my firewall rules based on aliases that contained hostnames and both A and AAAA records were shown in the Tables entries.
But now I only see IPv4 addresses. I do want to point out that if the DNS records contain ULA AAAA records those DO get added to the alias table. It's only GUA AAAA that don't show up.
-
@IonutIT Here it still works. So what version are you using, what patch level. Have you not disabled IPv6. -
I'm on 24.11 on a Netgate 6100 with all the patches applied. That being said I don't know if this stopped working after updating from 24.03 and never worked on 24.11 or if it's just a recent thing.
Also want to point out that the GUA AAAA records in the DNS resolver are pushed by the DHCPv6 server, in this case Kea DHCP. And the last time I know this had worked properly I was using ISC.
I don't really know how the DHCP server can impacts this though, as both ISC and Kea seem to properly register leases in the DNS resolver. DNS lookup gives out proper results of both A records and GUA AAAA records.
-
@IonutIT said in Alias tables don't contain IPv6 addresses anymore:
And the last time I know this had worked properly I was using ISC
You are right, this doesn't work anymore for dynamic GUA from DHCPv6. That is sad. I bet it is KEA, we can easily switch and test.
-
Yeah, that seems to be the issue. I just switched back to ISC and tables are now properly populated with both A and AAAA records.
But why? And how? If the DNS record is proper in Unbound, how does the DHCP server impact the alias tables?
-
@IonutIT I switched back and had non of my local aliases working anymore. Nothing helped so I went back and at least for IPv4 it is working again... I don't host anything on IPv6.
-
Make sure after you switch back to ISC to go into DNS Resolver and recheck "Register DHCP leases in the DNS Resolver" and "Register DHCP static mappings in the DNS Resolver" as they were unchecked for some reason after the switch. You should then have correct alias tables.
But then the issue remains? Why does the DHCP daemon impact alias tables as they both seem to properly input their hosts into Unbound?
-
-
@IonutIT said in Alias tables don't contain IPv6 addresses anymore:
Make sure after you switch back to ISC to go into DNS Resolver and recheck "Register DHCP leases in the DNS Resolver" and "Register DHCP static mappings in the DNS Resolver" as they were unchecked for some reason after the switch.
Yeah, didn't do that, so that explains it, that switching back made problems for me.
-
I've created a Alias with a host name (FQDN) :
works for me.
What am I doing wrong ?( I use KEA, pfSense 24.11 )
-
@Gertjan said in Alias tables don't contain IPv6 addresses anymore:
What am I doing wrong ?
You are using a DNS-record which is public available I bet. It probably doesn't get resolved only by DHCP and unbound. If this makes sense.
-
@Gertjan said in Alias tables don't contain IPv6 addresses anymore:
works for me.
Although, it is looking not to be a public record, interesting... What are you doing? It still doesn't work for me. Are you using Track Interface like we do?
-
@Bob-Dig said in Alias tables don't contain IPv6 addresses anymore:
You are using a DNS-record which is public available I bet
No ..... but read on
This info is only available locally, on my pfSense :
and now you know what IPv4 my NAS is using .... can you rach uit ?
Again, it's 192.168.1.33 .....As my ISP gave me some IPv6 prefixes, no need anymore to use RFC1918 (IPv6 style), so yeah, that on, I masked as 2a01:cb19:xxx:a6eb::c2 as this is usable from anywhere on the Internet.
"2a01:cb19:xxx:a6" is the part of IPv6 that my ISP gave me.
"eb" is the prefix.
And I use "::c2" (Static DHCPv6 Lease) for my NAS as I refuse to deal with IP addresses like this :
2a01:cb19:xxx:a6eb:92ec:77ff:fe29:392cBtw : and yes, as I use :
[24.11-RELEASE][root@pfSense.bhf.tld]/root: pgrep -l kea 19370 kea-dhcp-ddns 15979 kea-dhcp4 23186 kea-ctrl-agent 48019 kea-dhcp6=> It's kea-dhcp-ddns that registers DHCPv6 leases also into domain name server (bind) that handles "bhf.tld" for me. It's the good old RFC2136 doing 'dynsnds'.
So, from now on, I can look for "disktation2.bhf.tld" everywhere on the planet and find the IPv6 of my LAN based NAS. Accessing it needs a simple firewall rule - no more NAT.
It's BS to register 'A' zone info like 92.168.1.33 into a public DNS.
But totally valid to register GUA AAAA info like "2a01:cb19:xxx:a6eb::c2"kea-dhcp-ddns ( and kea-ctrl-agent ) exists in pfSense, but isn't avaible yet in the GUI.
@Bob-Dig said in Alias tables don't contain IPv6 addresses anymore:
You are using a DNS-record which is public available ....
Resolving public avaible host names work fine for me ^^
There are some restrictions of course, but this is a good example :
test :
@Bob-Dig said in Alias tables don't contain IPv6 addresses anymore:
Are you using Track Interface like we do?
Aaaaah : the good question !!
Of course I do use tracking.
I guess there are not many out there that get an IPv4 from their ISP, and a static ( ! ) IPv6 /56.
So, tracking it will be : my LAN settings :and wait .. I had to modify something somewhere. I've also written about it here on the forum. somewhere.
Because : look here :and now look in the config.xml what IPv6 addresses are stored when you create static DHCPv6 leases
My NAS :so "::c2" got entered in my local Resolver DNS ...
and that's a fail. -
@Gertjan said in Alias tables don't contain IPv6 addresses anymore:
so "::c2" got entered in my local Resolver DNS
Yeah, that is the early DNS-Registration which you have to disable. So you are using BIND, we don't. That is probably the reason it is working for you, like it should, and not for us anymore.
-
Just started doing things, throwing stuff at the wall and see what sticks, and surprisingly I've managed to get it working now, with KEA.
After I switched to ISC and confirmed it worked, I've switched back to KEA but I've disabled "Enable early DNS registration" for BOTH IPv6 and IPv4.
Previously I had it disabled for IPv6 because it caused weird DNS records where only the host part of the address was registered, and I would have results like "::10:23:ef32:aa21" as a AAAA record, and not the full address with the prefix delegation from the Track Interface setting. Exactly like you described.
But now I've also disabled it for IPv4 and it seems that alias tables have proper A and AAAA records in them. I'm not 100% sure that this was the case, but I'm not touching anything going forward :) I'll see after a reboot if this stays like this.
-
@IonutIT So I disabled that too for IPv4 and immediately lost connection to my internal mail-server. I think I have to run that for IPv4...
-
@IonutIT said in Alias tables don't contain IPv6 addresses anymore:
But now I've also disabled it for IPv4 and it seems that alias tables have proper A and AAAA records in them
Can confirm that this made it work again. My problematic IPv4 hostname is case-senstive now? I changed it and it is working too.
-
@Bob-Dig said in Alias tables don't contain IPv6 addresses anymore:
@IonutIT So I disabled that too for IPv4 and immediately lost connection to my internal mail-server. I think I have to run that for IPv4...
I think that was just because there was no predefined record pushed and the DHCP server needed to register your server again at a DHCP event. You just had to wait a bit and a record would appear eventually. I had the same but all records eventually showed up after 10-15 minutes.
-
Is your zone transparent ? I had an issue with mine set to (type transparent) and it was causing issues
-
@JonathanLee said in Alias tables don't contain IPv6 addresses anymore:
Is your zone transparent ? I had an issue with mine set to (type transparent) and it was causing issues
Zone type is at default "transparent" not "type transparent".
