Problems with pfSense IPV6 DNS function (does it exist!?)

louis2 · Jan 8, 2023, 4:20 PM

I did always expect the pfSense DNS server to work for both IPV4 and IPV6 query's.

However since I did some explicit testing today (I noticed things I could not explain), I have some doubts. Perhaps I am doing something wrong (lets hope so)

In system general I defined

Looking to that picture I all ready get more doubts, since there is a reference to 127.0.0.1 which is .... IPV4

I do/did assume that a DNS query towards the pfSense IPV4- or IPV6-gateway addresses are answered.

Lets do some tests form a windows PC:

nslookup google.com (OK)
nslookup google.com <local IPV4 GW> (192.168.1.1) => (OK)
nslookup google.com nslookup google.com 2606:4700:4700::1001 (cloudfare) => OK
nslookup google.com nslookup google.com A:B:C:1::1 (local GW) => DNS request timed out.
timeout was 2 seconds => NOT OK !

So ....... might it be that pfSense ano 2023 is not ..... providing IPV6 DNS functionality ?

johnpoz · Jan 8, 2023, 6:11 PM

@louis2 so those settings have zero to do with unbound, unless you set unbound to forward? Doing queries to unbound on pfsense from a client would depend on if you set unbound to listen on IPv6 addresses of pfsense.

Also could depend on your firewall rules, etc.

Here I just did a dig to pfsense lan IPv6 address, that unbound is set to listen on, and access lists are set to allow

also if you had say

do-ip6: no

Set in unbound it wouldn't work - I had to comment that in my settings for this test, because I normally don't have unbound doing any ipv6.

louis2 · Jan 8, 2023, 5:50 PM

@johnpoz

John ....... of course the forward option is on ...... normal dns behavoir is that if a dns does not know the address, it ask the upper layer (=forward)

The second thing is something else "depend on if you set unbound to listen on IPv6 addresses of pfSense". However where is that setting !!!???

For info, I nat all DNS query's to pfSense in order:

to log and
to filter / send some destinations to "nowhere" and
to override the IPV4 of my local servers (since they have another address locally than as seen from the internet)

johnpoz · Jan 8, 2023, 6:19 PM

@louis2 said in Problems with pfSense IPV6 DNS function (does it exist!?):

However where is that setting !!!???

do you have it set to listen on lan, then if lan has IPv6 it should auto listen..

Do you have any options in the custom options of unbound that would tell it not to do IPv6, the do-ipv6 setting I mentioned.

What are you rules on the lan - do they allow IPv6 on 53? This would be default, but maybe you adjusted them?

You should check your ACLs - but that should send back refused vs timeout..

louis2 · Jan 8, 2023, 7:02 PM

@johnpoz

At this moment all my vlans have both IPV4 and IPV6 enabled. So that can not be the problem.

I do not use ACL's on my switches. at least not with any relation to this.

I checked user settings,

Nothing verdict there

Normally there are four NAT rules. For this test I did remove the IPV6 port 53 one, to be able to conduct the test

Due to the removal of that nat rule, I had to add a normal pass rule (which I forgot :( ) I corrected that for the moment as follows:

But that did not solve the problem

below you see that I ask for the IP address twice

starting with explicit use of the GW
second using cloudfare

johnpoz · Jan 8, 2023, 7:17 PM

@louis2 query refused points to no ACL on unbound to allow for your IPv6 source to ask..

Asking some external dns really has little to do with your problem

btw a redirect of 853 is pointless - your cert on your unbound for dot sure isn't going to match what the client is looking for.

I do not use ACL's on my switches.

Talking about Unbound ACLs

louis2 · Jan 8, 2023, 7:27 PM

@johnpoz

I agree that it sounds like that .... however

I do not have ACL's
I am not aware of any rules blocking explicitly the local DNS
When doing a query from the same PC via the same vlan to using the same gateway

It works when I specify cloudfare and it does not work if I specify the local GW .....

If I do the test again, I see that the pass rule count is +1

If I activate logging for that rule

So somewhere is a problem, but where ...

louis2 · Jan 8, 2023, 7:29 PM

@louis2

No access lists defined, not for IPV4 and not for IPV6

johnpoz · Jan 8, 2023, 8:10 PM

@louis2 they are auto created then for you - which maybe some issue with the auto created IPv6 rules.

I disable auto acls - I like to set my own. But if your getting refused in your query that points to your source IP not being in the ACL - that is the only reason off the top of my head that would cause unbound to send back refused.. But I am quite a few beers into watching football ;) hehehe

louis2 · Jan 9, 2023, 1:00 AM

@johnpoz

I left the related settings default and that works for IPV4. Perhaps not for IPV6

From the manual
Unbound requires access lists (ACLs) to control which clients are allowed to submit queries. By default, IPv4 and IPv6 networks residing on internal interfaces of this firewall are permitted. Additional networks must be allowed manually.

And that is exactly what I did expect !! And since that is also what I do intent, there was never a reason to touch this!

Perhaps I will test what happens when I explicitly enable the test ranges, what is not OK / not the intention of course .....

johnpoz · Jan 9, 2023, 1:01 AM

@louis2 possible your IPv6 changed or something... If it works with you creating a specific acl for your IPv6 - then we can dig into why the acl was not created, etc.

Did you actually validate its listening on your specific IPv6 address? But refused really points to no acl that allows your query.

I have never used the auto acls - I have always had it disabled, because I create my own acls ;)

louis2 · Jan 9, 2023, 1:40 PM

@johnpoz

It is clear the DNS ACL's are the problem!

Below you see three tests:

using cloudfare DNS
using the pfSense GW without explit ACL
using the pfSense GW with an ACL added

So its a bug

Also note wonder

if these ACL's are implemented via unbound
or that it is in a normal FW-rule ... under the surface ......

louis2 · Jan 9, 2023, 10:31 AM

@johnpoz

Hum, I was looking for the config files below the DNS ...

Found /etc/resolv.conf
nameserver 127.0.0.1
nameserver 8.8.8.8
nameserver 2001:4860:4860::8844
nameserver 1.0.0.1
nameserver 2606:4700:4700::1001
search lan

find / -name unbound.conf
/var/unbound/unbound.conf
/usr/local/share/strongswan/templates/config/plugins/unbound.conf
/usr/local/etc/strongswan.d/charon/unbound.conf
/usr/local/etc/unbound/unbound.conf

Where /var/unbound/unbound.conf turned out to be the used config ...

unbound.zip

The content of the /var/unbound/remotecontrol.conf
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 953
server-key-file: "/var/unbound/unbound_server.key"
server-cert-file: "/var/unbound/unbound_server.pem"
control-key-file: "/var/unbound/unbound_control.key"
control-cert-file: "/var/unbound/unbound_control.pem"

I will create a bug report, referring to this thread

johnpoz · Jan 9, 2023, 1:40 PM

@louis2 said in Problems with pfSense IPV6 DNS function (does it exist!?):

So its a bug

Users always jumping on the its a bug wagon..

What version of pfsense are you even using? Are you using 2.7 or 23.01 beta? Or stable release?

louis2 · Jan 9, 2023, 1:47 PM

@johnpoz

My actual version is 2.7 built on Fri Jan 06 06:05:17 UTC 2023

And even if the problem is only related to the 2.7 build, it is still a bug / something to be fixed.

johnpoz · Jan 9, 2023, 2:02 PM

@louis2 said in Problems with pfSense IPV6 DNS function (does it exist!?):

it is still a bug / something to be fixed.

What snap are you on - for all we know it was already taken care of.. Your whole thread should of been in the dev section if your using a snapshot/beta..

I agree it needs to be corrected if it an actual problem - but before going taking the time to report a "bug" I would bring up your issue in the dev section for 2.7, what snap are you using, etc.

edit: should prob move this whole thread to here

https://forum.netgate.com/category/88/ce-2-7-0-development-snapshots

And you can add what snapshot your on, and see if anyone else seeing the problem - then they can fix it, etc. For all we know it was a temp issue on your specific snap

edit: I moved this thread to 2.7 dev - could you post up your snapshot version your using, and update to the current snap and validate it still an issue with auto acls adding IPv6, etc.

louis2 · Jan 9, 2023, 2:02 PM

@johnpoz

I do not know if the problem is only related to the 2.7 release. Perhaps I doubt.

I also did not know if I did something stupid or that it was a bug in first instance.

But If you think it should be in the def section two things:

be so kind to test first if it does work on a stable release
and if so be my guest move this thread to the dev section, that is something I can not do

johnpoz · Jan 9, 2023, 2:04 PM

@louis2 I have moved it.. If it was an issue with stable I would think would of been reported long ago.. But sure I can test it on my 2.6 vm install and my 22.05 main setup.

Gertjan · Jan 9, 2023, 2:24 PM

@louis2

Not related .... but :

These are not comment fields for you own usage.
If you fill them in, use the real host name.
To find out :

[22.05-RELEASE][root@pfSense.wth.net]/root: host 1.0.0.1
1.0.0.1.in-addr.arpa domain name pointer one.one.one.one.
[22.05-RELEASE][root@pfSense.wth.net]/root: host 8.8.8.8
8.8.8.8.in-addr.arpa domain name pointer dns.google.
etc.

cursixx · Jan 9, 2023, 2:53 PM

@louis2 I'm having the same problem with dev plus 23.01 and dev CE 1/06.

When using DNS Resolver (Enable Forwarding Mode on and off) to the LAN ipv6 address I get a query refused. ipv4 LAN address works fine

If I switch to DNS Forwarder both ipv4 and ipv6 return results as expected.

The symptoms I first noticed was, when loading sites in chrome I would get dns_probe_finished_nxdomain for 2-3 secs and then the site would load. ios and andriod devices would have problems too.

My setup is pretty much default.