Can't resolve IPv6-only name server
-
My ISP (Verizon Fios) just recently started providing IPv6 addresses, so I've been reconfiguring my router to allow v6 everywhere. One thing I can't make work is DNS queries over IPv6. I can request A and AAAA records from a name server addressable over IPv4, but if the name server only has an IPv6 address, I can't get unbound to resolve the address.
# unbound can't resolve the address [2.5.2-RELEASE][root@pfSense]/root: nslookup ds.v6ns.vm3.test-ipv6.com Server: 127.0.0.1 Address: 127.0.0.1#53 ** server can't find ds.v6ns.vm3.test-ipv6.com: SERVFAIL # going straight to the authoritative name server works fine [2.5.2-RELEASE][root@pfSense]/root: nslookup ds.v6ns.vm3.test-ipv6.com v6ns1.vm3.test-ipv6.com Server: v6ns1.vm3.test-ipv6.com Address: 2001:470:1:18::3:53#53 Name: ds.v6ns.vm3.test-ipv6.com Address: 216.218.228.115 Name: ds.v6ns.vm3.test-ipv6.com Address: 2001:470:1:18::115
Here are the maximum-verbosity unbound logs for the query: pastebin.com/Qe6a0nC2
I think the most relevant part isNov 23 00:57:32 unbound 74103 [74103:0] error: can't bind socket: Can't assign requested address for fe80::ae1f:6bff:fecf:e51e port 34222 (len 28) Nov 23 00:57:32 unbound 74103 [74103:0] info: error sending query to auth server ip6 2001:470:1:18::3:53 port 53 (len 28)
I recognize that IP address as
v6ns1.vm3.test-ipv6.com
. I'm not sure if thecan't bind socket
is the smoking gun, but I'm wondering if it has anything to do with the fact that Fios requires theOnly request an IPv6 prefix, do not request an IPv6 address
setting (they use RFC 6603, pfSense feature request); maybe unbound can't make outbound IPv6 connections? I don't know how nslookup was able to do it, if so. Similarly,ping6 google.com
works fine.I don't know how to debug this any further -- help would be greatly appreciated!
-
I've determined pfSense does have its own IPv6 address -- it's sending outbound traffic from the "LAN" adapter's address (in quotes because it's just VLAN 10 on igb1, nothing special about it). So much for that theory, not that it really made any sense.
-
Got it! I had to add "LAN" to the list of authorized outbound network interfaces for unbound. Without that, it wasn't able to send traffic from an IPv6-enabled interface (since my WAN interface has no IPv6 address).