DNS delegation from my ISP to me for my IPv6 addresses


  • Galactic Empire

    Has anyone set up IPv6 delegation on pfSense on my router, so the router replies to requests for revers lookups for my address space ?

    Currently watching the Hangout, but thats Local DNS.


  • Rebel Alliance Global Moderator

    So you have a static assignment of ipv6 space from your ISP and they delegated this control to you?  If so then sure you could run your own ns to respond to the PTRs for the netblocks you get.

    This is one nice thing with just getting a /48 from HE, they allow you to set your PTRs for anything in this address space.


  • Galactic Empire

    @johnpoz:

    So you have a static assignment of ipv6 space from your ISP and they delegated this control to you?  If so then sure you could run your own ns to respond to the PTRs for the netblocks you get.

    This is one nice thing with just getting a /48 from HE, they allow you to set your PTRs for anything in this address space.

    Indeed I do have a /48 from my UK based ISP, they haven't delegated control yet, but they can.

    I sent my ISP an email as I was trying to do the Hurricane Electric IPv6 Certification and for part of the cert you need a FQDN that points to one of your servers.

    I've split my /48 into /64 and have a LAN & DMZ on my router.

    It's just figuring out what to do as I'm a bit new to pfSense and have only used it for a few months and a lot of the documentation use the old GUI, but I'm getting a 19/20 from http://ipv6-test.com it's just the reverse lookups that are failing.

    I'm guessing ISPs are reluctant to add reverse entires due to the wide subnet ranges they're handing out.


  • Rebel Alliance Global Moderator

    Well if they give you a /48 then yeah have them delegate that to you can you can then run your NSs where ever you want.  Or just have them set the PTR for you..

    As to the HE test you can do everything with just HE, you can setup the PTR, glue etc.. Your going to need to make sure glue is there for the sage level test.

    Sage Test; Score: 1 / 1
    This test validates that you have IPv6 Glue at your registrar

    Trying to get your sage t-shirt huh ;)  Got mine quite some time ago.. One of my fav free things gotten for learning and playing for sure..

    Have fun with your tests.. If have any questions on it.. Be happy to help.


  • Galactic Empire

    Did you install bind or use the inbuilt unbound John ?


  • Rebel Alliance Global Moderator

    Oh I used bind, when I got mine unbound was not part of pfsense.  Not even sure it was a package at the time?  Got my sage quite some time ago.. Just looked in email was back in Jan 2011 that I got sage ;)  Pfsense was version 1.2.3 back then, 2 didn't come out to sept 2011..

    Unbound is not meant to be an authoritative nameserver, your really going to want to use bind.  You could use the bind package..


  • Galactic Empire

    Ah thanks, I didn't realise that Unbound wasn't authoritative, bind it is then.


  • Rebel Alliance Global Moderator

    https://www.unbound.net/
    Unbound is a validating, recursive, and caching DNS resolver.

    While you can get it to act as authoritative, its not really the primary design purpose of unbound.  Not from anything I have read.. Now I have it setup to return SOA for my local domain, etc.

    
    C:\>dig local.lan SOA
    
    ; <<>> DiG 9.10.4-P1 <<>> local.lan SOA
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22076
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;local.lan.                     IN      SOA
    
    ;; ANSWER SECTION:
    local.lan.              10800   IN      SOA     pfsense.local.lan. root.local.lan. 1 3600 1200 604800 10800
    
    ;; Query time: 115 msec
    ;; SERVER: 192.168.9.253#53(192.168.9.253)
    ;; WHEN: Tue Sep 06 10:26:35 Central Daylight Time 2016
    ;; MSG SIZE  rcvd: 87
    
    C:\>dig flssljf.local.lan
    
    ; <<>> DiG 9.10.4-P1 <<>> flssljf.local.lan
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36032
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;flssljf.local.lan.             IN      A
    
    ;; AUTHORITY SECTION:
    local.lan.              10800   IN      SOA     pfsense.local.lan. root.local.lan. 1 3600 1200 604800 10800
    
    ;; Query time: 112 msec
    ;; SERVER: 192.168.9.253#53(192.168.9.253)
    ;; WHEN: Tue Sep 06 10:26:44 Central Daylight Time 2016
    ;; MSG SIZE  rcvd: 95
    
    

    The integration of unbound package in pfsense does is not really setup to do that, any sort of authoritative info you would like to place would have to be in custom box on your own.. Not part of the gui, and doesn't handle cnames like an authoritative ns would do..

    If you look at wiki for comparison of different dns software you will see that unbound authoritative is listed as partial
    https://en.wikipedia.org/wiki/Comparison_of_DNS_server_software

    While you might be able to do what you need to do to pass the cert ipv6 tests from HE with unbound.  Unbound would not be my go to software for setting up authoritative zones.  I do not believe it you could do any sort of zone xfer with it, doesn't support slave mode for sure and tsig is not an option either AFAIK, etc.