DNS Unbound errors - No route to host --IPv6

SuudoXR

Hello!

First time user of the forum and the product. :)

After getting everything up and running I was familiarising myself with the logs and saw the below in the DNS Resolver logs:

Mar 7 15:28:51 unbound 53313 [53313:0] error: udp connect failed: No route to host for 2620:13e:100d:c::35 port 53

This is repeated several times for a range of IPv6 addresses:
There was lots more but this is a snippet

I am not using IPv6 on the WAN side but do have it set to tracking on LAN.

I'm not seeing a reason why these would be failing the rules on the WAN/LAN are the "out of the box" ones with no addition pass/blocks added myself.

Does this indicate an issue my side?

Many thanks for any assistance given!

P.S apologies if there is some crucial info I have not included!

fireodo

@suudoxr

Hi you can add to DNS Resolver under Custom Options this:

do-ip6:no

save and those errors should dissapear.

Kind Regards,
fireodo

SuudoXR

@fireodo Thank you for the quick reply! much appreciated :)

viktor_g

@suudoxr unable to reproduce your issue
Could you provide more info about your Interfaces and DNS Resolver configuration?

SuudoXR

@viktor_g
Apologies if there is a better method than screenshot frenzy but here is my interfaces and DNS resolver config. I don't believe anything in the advanced DNS resolver tab has been altered:

I do have a couple of VLAN interfaces but they are not enabled (I can confirm they errors still persist with them turned off so not related).

Thanks for your time :)

Gertjan

Why tracking on the LAN the WAN for IPv6 ?

If the WAN has no IPv6 , why doing 'IPv6' on LAN ?

SuudoXR

@gertjan Hello thanks for replying!

Just so I can learn and understand are you suggesting that this would explain the unbound errors because my ISP does not offer Ipv6? Or is this just an observation and a separate misconfiguration that could be improved?

As for why its on it was default option when I setup the interface so just haven't disabled it, happy to switch of if unnecessary.

Thanks!

Gertjan

@suudoxr

No IPv6 on WAN, so this option can't be used :

See https://docs.netgate.com/pfsense/en/latest/interfaces/configure-ipv6.html

fireodo

@suudoxr said in DNS Unbound errors - No route to host --IPv6:

I do have a couple of VLAN interfaces but they are not enabled (I can confirm they errors still persist with them turned off so not related).

Have you tried to add to DNS Resolver under Custom Options this:

"do-ip6:no" ?

and restart the resolver?

Regards,
fireodo

SuudoXR

@gertjan Ok thanks I have set that to none now, will see what changes.

@fireodo I did set that and whilst they did go to aid @viktor_g I have removed it for now to allow him to see if he can re-create. Although I do wonder why it was still failing and just telling it not to do ipv6 is a solution im still curious as to the reason :)

fireodo

@suudoxr said in DNS Unbound errors - No route to host --IPv6:

@fireodo I did set that and whilst they did go to aid @viktor_g I have removed it for now to allow him to see if he can re-create. Although I do wonder why it was still failing and just telling it not to do ipv6 is a solution im still curious as to the reason :)

No IPv6 on WAN -> no IPv6 resolution from Resolver

SuudoXR

@fireodo right ok, so do I need to be looking at why something on my LAN is trying to go out to IPv6? Now that I have turned off Ipv6 tracking on LAN will that prevent that?

Thanks very much to all for the assistance so far, learning as we go :D

fireodo

@suudoxr said in DNS Unbound errors - No route to host --IPv6:

@fireodo do I need to be looking at why something on my LAN is trying to go out to IPv6? Now that I have turned off Ipv6 tracking on LAN will that prevent that?

No, there is nothing from your LAN that want to go out to IPv6 but the resolver (unbound) try to resolve IPv4 AND IPv6.

Thanks very much to all for the assistance so far, learning as we go :D

You're welcome!

Gertjan

@suudoxr said in DNS Unbound errors - No route to host --IPv6:

do I need to be looking at why something on my LAN is trying to go out to IPv6?

Something on your LAN - a device that is IPv6 capable - would try to use pfSense if pfSense would announce on your LAN that it is a IPv6 gateway.

Which isn't the case, because you do not have a IPv6 connection to the net.

This doesn't mean that many devices on your LAN use IPv6 among themselves, as any modern OS prefers IPv6 over IPv4.