Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ipv6 test AAAA DNS queries not resolving

    IPv6
    2
    8
    648
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      chill_out
      last edited by

      Hi,

      Running Unbound recursively, however aaaa.v6ns.test-ipv6.com wont resolve, for example:

      [2.7.2-RELEASE][admin@pfSense.lan]/root: dig -6 aaaa aaaa.v6ns.test-ipv6.com                      
      
      ; <<>> DiG 9.18.19 <<>> -6 aaaa aaaa.v6ns.test-ipv6.com
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 22328
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
      
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 1232
      ;; QUESTION SECTION:
      ;aaaa.v6ns.test-ipv6.com.       IN      AAAA
      
      ;; Query time: 0 msec
      ;; SERVER: ::1#53(::1) (UDP)
      ;; WHEN: Mon Dec 25 02:26:42 UTC 2023
      ;; MSG SIZE  rcvd: 52
      

      Yet using Google's DNS it will.

      [2.7.2-RELEASE][admin@pfSense.lan]/root: dig -6 aaaa aaaa.v6ns.test-ipv6.com @2001:4860:4860::8888 
      
      ; <<>> DiG 9.18.19 <<>> -6 aaaa aaaa.v6ns.test-ipv6.com @2001:4860:4860::8888
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 358
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
      
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 512
      ;; QUESTION SECTION:
      ;aaaa.v6ns.test-ipv6.com.       IN      AAAA
      
      ;; ANSWER SECTION:
      aaaa.v6ns.test-ipv6.com. 300    IN      AAAA    2001:470:1:18::115
      
      ;; Query time: 73 msec
      ;; SERVER: 2001:4860:4860::8888#53(2001:4860:4860::8888) (UDP)
      ;; WHEN: Mon Dec 25 02:26:40 UTC 2023
      ;; MSG SIZE  rcvd: 80
      

      Any tips on where to begin chasing this down?

      Oddly the AAAA record is buried in a trace:

      [2.7.2-RELEASE][admin@pfSense.lan]/root: dig -6 aaaa aaaa.v6ns.test-ipv6.com +trace | grep AAAA
      aaaa.v6ns.test-ipv6.com. 300    IN      AAAA    2001:470:1:18::115
      
      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @chill_out
        last edited by

        @chill_out said in ipv6 test AAAA DNS queries not resolving:

        aaaa.v6ns.test-ipv6.com

        dig you do a trace.. I show its now working and sends back SOA...

        aaaa.v6ns.test-ipv6.com. 300    IN      NS      v6ns.test-ipv6.com.
        aaaa.v6ns.test-ipv6.com. 300    IN      NS      v6ns1.test-ipv6.com.
        couldn't get address for 'v6ns.test-ipv6.com': failure
        ;; Received 210 bytes from 2a00:dd80:3c::898#53(ns3.test-ipv6.com) in 103 ms
        
        v6ns.test-ipv6.com.     300     IN      SOA     v6ns1.test-ipv6.com. jfesler\@test-ipv6.com. 20200614 86400 7200 604800 172800
        ;; Received 156 bytes from 2001:470:1:18::3:53#53(v6ns1.test-ipv6.com) in 71 ms
        
        

        Where did you find that FQDN? And what it suppose to only resolve via IPv6?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        C 1 Reply Last reply Reply Quote 0
        • C
          chill_out @johnpoz
          last edited by

          @johnpoz yes it's only supposed to resolve if one is using ipv6 (it comes from a test site of the same name).

          So dig can resolve it, but unbound cannot.

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @chill_out
            last edited by

            @chill_out that is odd, since as you see from snip of my trace I was talking to the ns via IPv6..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            C 1 Reply Last reply Reply Quote 0
            • C
              chill_out @johnpoz
              last edited by

              @johnpoz interesting, your extract was from the unbound logs?

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @chill_out
                last edited by

                @chill_out that was from a trace with dig..

                So tried it again, and while still having an issue to that v6ns, I do get answer from the v6ns1

                Here trace on pfsense.

                [23.09.1-RELEASE][admin@sg4860.home.arpa]/: dig -6 aaaa.v6ns.test-ipv6.com AAAA +trace
                
                ; <<>> DiG 9.18.16 <<>> -6 aaaa.v6ns.test-ipv6.com AAAA +trace
                ;; global options: +cmd
                .                       86340   IN      NS      m.root-servers.net.
                .                       86340   IN      NS      f.root-servers.net.
                .                       86340   IN      NS      h.root-servers.net.
                .                       86340   IN      NS      g.root-servers.net.
                .                       86340   IN      NS      c.root-servers.net.
                .                       86340   IN      NS      j.root-servers.net.
                .                       86340   IN      NS      a.root-servers.net.
                .                       86340   IN      NS      k.root-servers.net.
                .                       86340   IN      NS      i.root-servers.net.
                .                       86340   IN      NS      l.root-servers.net.
                .                       86340   IN      NS      b.root-servers.net.
                .                       86340   IN      NS      d.root-servers.net.
                .                       86340   IN      NS      e.root-servers.net.
                .                       86340   IN      RRSIG   NS 8 0 518400 20240108170000 20231226160000 46780 . rBc0dPAiLU3UJN/aFWQF30h6HAxcfaQVw2EQmd5+mLsRWFSNGzPTKs4C iGchL5Q9WI0xkYGcjx2BtoMbaJXiaGio8IgOKib/naqoprA2CmSaurkH mUcGl5lOR2cbyLvdMn3Xd7FI0lkEcT1xmCYGKvmnkWUintePJJnE1pJj uskQdgwyArCTlmuKAlH8Cjfh7eIu3/rWTLutxHqdn3fTpX4x9WoQOA7e UgzR7Mn7Nux1EuWgEvDE5wPBPPYWUcUfrRtTVi5IyXzag+L35Q2TrknO AHyhiJ33/UpygNfMYdiTutHhlUP4DcpzVUHPFWVuwnz8at6nfKFnwS0m 69pcgA==
                couldn't get address for 'l.root-servers.net': not found
                ;; Received 525 bytes from ::1#53(::1) in 0 ms
                
                com.                    172800  IN      NS      a.gtld-servers.net.
                com.                    172800  IN      NS      b.gtld-servers.net.
                com.                    172800  IN      NS      c.gtld-servers.net.
                com.                    172800  IN      NS      d.gtld-servers.net.
                com.                    172800  IN      NS      e.gtld-servers.net.
                com.                    172800  IN      NS      f.gtld-servers.net.
                com.                    172800  IN      NS      g.gtld-servers.net.
                com.                    172800  IN      NS      h.gtld-servers.net.
                com.                    172800  IN      NS      i.gtld-servers.net.
                com.                    172800  IN      NS      j.gtld-servers.net.
                com.                    172800  IN      NS      k.gtld-servers.net.
                com.                    172800  IN      NS      l.gtld-servers.net.
                com.                    172800  IN      NS      m.gtld-servers.net.
                com.                    86400   IN      DS      19718 13 2 8ACBB0CD28F41250A80A491389424D341522D946B0DA0C0291F2D3D7 71D7805A
                com.                    86400   IN      RRSIG   DS 8 1 86400 20240108170000 20231226160000 46780 . O9wfB2aYbpDc6ZDemRDwRlfO9mbDUbG2EDYLZ4ezLjAYVnj6y1uDJT9i 9hozE/ciaY3kYGdDQVQbzeNb/TyyZVpajL/ju4B/EfSekHCrH1ULpKT2 Wl3mZThYW4WbLGuFIhv3WBU4ZHm/RzUPIbh9yJEOK2i5H99t7HgklPoQ mba3bvSOncDeWD8VcmXucr1ZaxzErHONxk5t88TBwz63Xznu5pX7MpGC iB6Gz5/lWu6k6fpFfCHSJjlTOG2Agpjij0duPs4KmA1h2Uxe8qnHe9PC /UHGMpMYUMnep9ktC2uVGjEDNnaUrkT17B8loFpIpoY1rYT+JBu9mUpD iYBJJg==
                ;; Received 1183 bytes from 2801:1b8:10::b#53(b.root-servers.net) in 101 ms
                
                test-ipv6.com.          172800  IN      NS      ns1.test-ipv6.com.
                test-ipv6.com.          172800  IN      NS      ns3.test-ipv6.com.
                CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q2D6NI4I7EQH8NA30NS61O48UL8G5 NS SOA RRSIG DNSKEY NSEC3PARAM
                CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 13 2 86400 20240101052609 20231225041609 46171 com. szNQwwMmA2dHL1TDz7A/9vScomqNiEhUSBw2TAovHQVMKkVwg3qXkXfG qUX0oLbe4MP3UE1v6cstVpBNmKjO+g==
                ERPS5KLB395KB2467L2UDQ1BFNI0FOG4.com. 86400 IN NSEC3 1 1 0 - ERPS808LVB5J6C45C9K3V9L4PKOV156G NS DS RRSIG
                ERPS5KLB395KB2467L2UDQ1BFNI0FOG4.com. 86400 IN RRSIG NSEC3 13 2 86400 20231230064608 20231223053608 46171 com. 1HBXtCixq+b3Qj/LhJXuIuN+daTSof3fH/HctUGCHcJrwyqd+l4qxrQe oP59EZSAzZ0rH3AGmktms5n2CkB7mA==
                ;; Received 505 bytes from 2001:502:8cc::30#53(h.gtld-servers.net) in 28 ms
                
                aaaa.v6ns.test-ipv6.com. 300    IN      NS      v6ns.test-ipv6.com.
                aaaa.v6ns.test-ipv6.com. 300    IN      NS      v6ns1.test-ipv6.com.
                couldn't get address for 'v6ns.test-ipv6.com': not found
                ;; Received 210 bytes from 2001:470:1:18::118#53(ns1.test-ipv6.com) in 58 ms
                
                aaaa.v6ns.test-ipv6.com. 300    IN      AAAA    2001:470:1:18::115
                v6ns.test-ipv6.com.     300     IN      NS      v6ns1.test-ipv6.com.
                ;; Received 141 bytes from 2001:470:1:18::3:53#53(v6ns1.test-ipv6.com) in 57 ms
                
                [23.09.1-RELEASE][admin@sg4860.home.arpa]/: 
                

                So if I trace it, you would think normal query would work.. But I just keep getting servfail..

                AHHHH!!!! I found my problem.. Maybe yours is sim?? On my outgoing interfaces for unbound, I only had loopback, it was never talking anything via IPv6 when you asked it.. I added my HE tunnel interface as an outgoing interface.. And now I can resolve it

                [23.09.1-RELEASE][admin@sg4860.home.arpa]/: dig -6 aaaa.v6ns.test-ipv6.com aaaa
                
                ; <<>> DiG 9.18.16 <<>> -6 aaaa.v6ns.test-ipv6.com aaaa
                ;; global options: +cmd
                ;; Got answer:
                ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38677
                ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
                
                ;; OPT PSEUDOSECTION:
                ; EDNS: version: 0, flags:; udp: 4096
                ;; QUESTION SECTION:
                ;aaaa.v6ns.test-ipv6.com.       IN      AAAA
                
                ;; ANSWER SECTION:
                aaaa.v6ns.test-ipv6.com. 3600   IN      AAAA    2001:470:1:18::115
                
                ;; Query time: 321 msec
                ;; SERVER: ::1#53(::1) (UDP)
                ;; WHEN: Tue Dec 26 16:46:21 CST 2023
                ;; MSG SIZE  rcvd: 80
                
                [23.09.1-RELEASE][admin@sg4860.home.arpa]/: 
                

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                C 1 Reply Last reply Reply Quote 1
                • C
                  chill_out @johnpoz
                  last edited by

                  @johnpoz yes, same issue! I changed outgoing interfaces to "all" and now it can resolve.

                  Thanks for the tip!

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @chill_out
                    last edited by

                    @chill_out Personally I normally just have it use loopback.. And I am back to that - I don't really need my dns going out my HE tunnel..And other than that test of theirs have no need of it.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                    1 Reply Last reply Reply Quote 0
                    • O OffstageRoller referenced this topic on
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.