Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't resolve IPv6-only name server

    DHCP and DNS
    1
    3
    727
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      ams2990
      last edited by ams2990

      My ISP (Verizon Fios) just recently started providing IPv6 addresses, so I've been reconfiguring my router to allow v6 everywhere. One thing I can't make work is DNS queries over IPv6. I can request A and AAAA records from a name server addressable over IPv4, but if the name server only has an IPv6 address, I can't get unbound to resolve the address.

      # unbound can't resolve the address
[2.5.2-RELEASE][root@pfSense]/root: nslookup ds.v6ns.vm3.test-ipv6.com
Server:         127.0.0.1
Address:        127.0.0.1#53

** server can't find ds.v6ns.vm3.test-ipv6.com: SERVFAIL

# going straight to the authoritative name server works fine
[2.5.2-RELEASE][root@pfSense]/root: nslookup ds.v6ns.vm3.test-ipv6.com v6ns1.vm3.test-ipv6.com
Server:         v6ns1.vm3.test-ipv6.com
Address:        2001:470:1:18::3:53#53

Name:   ds.v6ns.vm3.test-ipv6.com
Address: 216.218.228.115
Name:   ds.v6ns.vm3.test-ipv6.com
Address: 2001:470:1:18::115

      Here are the maximum-verbosity unbound logs for the query: pastebin.com/Qe6a0nC2
      I think the most relevant part is

      Nov 23 00:57:32 	unbound 	74103 	[74103:0] error: can't bind socket: Can't assign requested address for fe80::ae1f:6bff:fecf:e51e port 34222 (len 28)
Nov 23 00:57:32 	unbound 	74103 	[74103:0] info: error sending query to auth server ip6 2001:470:1:18::3:53 port 53 (len 28)

      I recognize that IP address as v6ns1.vm3.test-ipv6.com. I'm not sure if the can't bind socket is the smoking gun, but I'm wondering if it has anything to do with the fact that Fios requires the Only request an IPv6 prefix, do not request an IPv6 address setting (they use RFC 6603, pfSense feature request); maybe unbound can't make outbound IPv6 connections? I don't know how nslookup was able to do it, if so. Similarly, ping6 google.com works fine.

      I don't know how to debug this any further -- help would be greatly appreciated!

      A 1 Reply Last reply Reply Quote 0
      • A
        ams2990 @ams2990
        last edited by

        I've determined pfSense does have its own IPv6 address -- it's sending outbound traffic from the "LAN" adapter's address (in quotes because it's just VLAN 10 on igb1, nothing special about it). So much for that theory, not that it really made any sense.

        1 Reply Last reply Reply Quote 0
        • A
          ams2990
          last edited by

          Got it! I had to add "LAN" to the list of authorized outbound network interfaces for unbound. Without that, it wasn't able to send traffic from an IPv6-enabled interface (since my WAN interface has no IPv6 address).

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.