DNS - query refused on IPv6

Thondwe

Windows 11, dual stack, come across the "Query Refused" Error with IPV6 when using nslookup against the IPV6 address of the pfsense box. Also tried on my pi

root@raspberrypi:/home/pcm-admin# dig @xxxx:yyyy:zzzz:fe10::254 google.com

; <<>> DiG 9.16.37-Raspbian <<>> @xxxx:yyyy:zzzz:fe10::254 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 39033
;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; Query time: 0 msec
;; SERVER:xxxx:yyyy:zzzz:fe10::254#53(xxxx:yyyy:zzzz:fe10::254)
;; WHEN: Tue Mar 28 15:38:24 BST 2023
;; MSG SIZE rcvd: 12

Seen threads on old instances of the same bug, but am on 23.01. DNS is bound to all interfaces - and works fine on IPV4.

Not noticed in general as I guess dual stack means it tries "both" DNS servers (IPV4 and IPV6) and always gets an answer over IPV4, even for IPV6 addresses - IPV6 all working (test-ipv6 sites all happy)

Any thoughts?

Paul

SteveITS

@thondwe See https://redmine.pfsense.org/issues/13851, there's a patch in the System Patches package to correct ACLs for IPv6.

Thondwe

@steveits Many Thanks - Patch applied and working now! Will remember to trawl the patches in future as part of debugging odd behaviour!!

j.bentley.tx

I'm also on 23.01 and am experiencing the same, however I don't see any available patches to apply.
Was the patch pulled, or do I need to manually acquire it from another location?

SteveITS

@j-bentley-tx If you don't see it check for an update to your System Patches package. Changes to the patch list are made through package updates. Technically it can be done manually from the ID in the commit.

Thondwe

@j-bentley-tx Assuming you’ve installed the “patches” package and you’re looking at the list from the new patches item on the System menu, then you need to find this one…

https://redmine.pfsense.org/issues/13851

j.bentley.tx

Yes, I have the patches package installed, but it lists no patches.
However, I was able to manually add the patch with the URL. The produced entry didn't look quite right so I deleted it again and re-added it, but this time I referenced the commit ID "46b159032fef8c78783aa1a749d2238cfed7ac0d" from Georgiy's post under https://redmine.pfsense.org/issues/13851.

All works a treat now! After I applied the patch and cycled the DNS Resolver service, all of my local clients with IPv6 are able to get dns resolution replies once again.

Thank you everyone for the incredible work with this platform!