<![CDATA[DNS Resolver starts rejecting requests over IPv6 after a couple of weeks]]>Re: https://forum.netgate.com/topic/196876

The problem in the above referenced post went away as soon as I restarted the resolver. It started happening again yesterday.

In summary, if the resolver receives a request from the LAN side, and the request arrives on the IPv6 interface, the request is rejected with

WARNING: recursion requested but not available

I just now restarted the resolver and the error went away.

Below is a log of a terminal session on a LAN host. In this case it was Cygwin on Windows 11 but I've seen the same behavior in Debian 12.

The first dig command was issued while lookups were failing. The second dig about 23 seconds later, after having restarted the resolver.

Note, it's not the type of request (A vs AAAA for example), but the IP version interface over which pfSense receives the request. Windows defaults to using IPv6 if it's available.

What logging should I be gathering in order to help Netgate troubleshoot the issue?

jim@HOME11 ~
$ dig sqlite.org

; <<>> DiG 9.11.9 <<>> sqlite.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 58298
;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; Query time: 0 msec
;; SERVER: 2601:1c0:5600:c367:eaff:1eff:fed2:b036#53(2601:1c0:5600:c367:eaff:1eff:fed2:b036)
;; WHEN: Mon Apr 14 15:09:54 PDT 2025
;; MSG SIZE  rcvd: 12


jim@HOME11 ~
$ dig sqlite.org

; <<>> DiG 9.11.9 <<>> sqlite.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48986
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1432
;; QUESTION SECTION:
;sqlite.org.                    IN      A

;; ANSWER SECTION:
sqlite.org.             300     IN      A       194.195.208.62

;; Query time: 206 msec
;; SERVER: 2601:1c0:5600:c367:eaff:1eff:fed2:b036#53(2601:1c0:5600:c367:eaff:1eff:fed2:b036)
;; WHEN: Mon Apr 14 15:10:17 PDT 2025
;; MSG SIZE  rcvd: 55
]]>https://forum.netgate.com/topic/197145/dns-resolver-starts-rejecting-requests-over-ipv6-after-a-couple-of-weeksRSS for NodeTue, 21 Apr 2026 05:02:50 GMTMon, 14 Apr 2025 22:25:35 GMT60<![CDATA[Reply to DNS Resolver starts rejecting requests over IPv6 after a couple of weeks on Wed, 04 Jun 2025 21:48:34 GMT]]>@Gertjan said in DNS Resolver starts rejecting requests over IPv6 after a couple of weeks:

What version ?

2.7.2

When the issue happens, was unbound listening on IPv6 LAN interfaces ?

Yes, I can confirm it was listening because the query is explicitly rejected, not timed-out.

[25.03-BETA][root@pfSense.bhf.tld]/root: sockstat -6 | grep ":53"
unbound unbound 53479 3 udp6 *:53 :
unbound unbound 53479 4 tcp6 *:53 :

means "all exiting interfaces", for TCP and UDP.

I recently restarted it because the problem recurred, next time it happens I will run tcpdump and upload a capture of the transaction(s).

When you raise the resolver (unbound) log setting to 'very verbose', can you see the IPv6 request arriving @unbound ?
Don't forget to set the log setting back, as it produces a lot of info.

Next time it happens I'll also do this.

]]>https://forum.netgate.com/post/1216756https://forum.netgate.com/post/1216756Wed, 04 Jun 2025 21:48:34 GMT<![CDATA[Reply to DNS Resolver starts rejecting requests over IPv6 after a couple of weeks on Mon, 19 May 2025 08:12:00 GMT]]>@jhg

pfSense CE on ...

What version ?
When the issue happens, was unbound listening on IPv6 LAN interfaces ?

[25.03-BETA][root@pfSense.bhf.tld]/root: sockstat -6 | grep ":53"
unbound unbound 53479 3 udp6 *:53 :
unbound unbound 53479 4 tcp6 *:53 :

means "all exiting interfaces", for TCP and UDP.

When you raise the resolver (unbound) log setting to 'very verbose', can you see the IPv6 request arriving @unbound ?
Don't forget to set the log setting back, as it produces a lot of info.

]]>https://forum.netgate.com/post/1214982https://forum.netgate.com/post/1214982Mon, 19 May 2025 08:12:00 GMT<![CDATA[Reply to DNS Resolver starts rejecting requests over IPv6 after a couple of weeks on Mon, 19 May 2025 02:25:34 GMT]]>Never got any response to this, and it keeps happening.

After some period of time, DNS resolution requests received over IPv6 from LAN clients are rejected. The type of query doesn't matter, only the interface over which the request is received. For example

dig any.host.tld
or
dig aaaa any.host.tld
...
;; WARNING: recursion requested but not available

while

dig -4 any.host.tld
or
dig -4 aaaa any.host.tld

succeeds

When this starts happening all I need to do is restart the DNS Resolver and it goes back to working until the next time it decides to quit working.

Any chance of getting someone to look at this?

]]>https://forum.netgate.com/post/1214965https://forum.netgate.com/post/1214965Mon, 19 May 2025 02:25:34 GMT