Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Resolver starts rejecting requests over IPv6 after a couple of weeks

    Scheduled Pinned Locked Moved DHCP and DNS
    4 Posts 2 Posters 166 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jhg
      last edited by

      Re: https://forum.netgate.com/topic/196876

      The problem in the above referenced post went away as soon as I restarted the resolver. It started happening again yesterday.

      In summary, if the resolver receives a request from the LAN side, and the request arrives on the IPv6 interface, the request is rejected with

      WARNING: recursion requested but not available

      I just now restarted the resolver and the error went away.

      Below is a log of a terminal session on a LAN host. In this case it was Cygwin on Windows 11 but I've seen the same behavior in Debian 12.

      The first dig command was issued while lookups were failing. The second dig about 23 seconds later, after having restarted the resolver.

      Note, it's not the type of request (A vs AAAA for example), but the IP version interface over which pfSense receives the request. Windows defaults to using IPv6 if it's available.

      What logging should I be gathering in order to help Netgate troubleshoot the issue?

      jim@HOME11 ~
$ dig sqlite.org

; <<>> DiG 9.11.9 <<>> sqlite.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 58298
;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; Query time: 0 msec
;; SERVER: 2601:1c0:5600:c367:eaff:1eff:fed2:b036#53(2601:1c0:5600:c367:eaff:1eff:fed2:b036)
;; WHEN: Mon Apr 14 15:09:54 PDT 2025
;; MSG SIZE  rcvd: 12


jim@HOME11 ~
$ dig sqlite.org

; <<>> DiG 9.11.9 <<>> sqlite.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48986
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1432
;; QUESTION SECTION:
;sqlite.org.                    IN      A

;; ANSWER SECTION:
sqlite.org.             300     IN      A       194.195.208.62

;; Query time: 206 msec
;; SERVER: 2601:1c0:5600:c367:eaff:1eff:fed2:b036#53(2601:1c0:5600:c367:eaff:1eff:fed2:b036)
;; WHEN: Mon Apr 14 15:10:17 PDT 2025
;; MSG SIZE  rcvd: 55

      pfSense CE on Beelink EQ12 (N100 CPU, dual 2.5Gbe Intel NICs)
      Hitron CODA56 - Comcast 2.5Gb cable

      J 1 Reply Last reply Reply Quote 0
      • J
        jhg @jhg
        last edited by

        Never got any response to this, and it keeps happening.

        After some period of time, DNS resolution requests received over IPv6 from LAN clients are rejected. The type of query doesn't matter, only the interface over which the request is received. For example

        dig any.host.tld
or
dig aaaa any.host.tld
...
;; WARNING: recursion requested but not available

        while

        dig -4 any.host.tld
or
dig -4 aaaa any.host.tld

        succeeds

        When this starts happening all I need to do is restart the DNS Resolver and it goes back to working until the next time it decides to quit working.

        Any chance of getting someone to look at this?

        pfSense CE on Beelink EQ12 (N100 CPU, dual 2.5Gbe Intel NICs)
        Hitron CODA56 - Comcast 2.5Gb cable

        GertjanG 1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan @jhg
          last edited by Gertjan

          @jhg

          pfSense CE on ...

          What version ?
          When the issue happens, was unbound listening on IPv6 LAN interfaces ?

          [25.03-BETA][root@pfSense.bhf.tld]/root: sockstat -6 | grep ":53"
          unbound unbound 53479 3 udp6 *:53 :
          unbound unbound 53479 4 tcp6 *:53 :

          means "all exiting interfaces", for TCP and UDP.

          When you raise the resolver (unbound) log setting to 'very verbose', can you see the IPv6 request arriving @unbound ?
          Don't forget to set the log setting back, as it produces a lot of info.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          J 1 Reply Last reply Reply Quote 0
          • J
            jhg @Gertjan
            last edited by

            @Gertjan said in DNS Resolver starts rejecting requests over IPv6 after a couple of weeks:

            What version ?

            2.7.2

            When the issue happens, was unbound listening on IPv6 LAN interfaces ?

            Yes, I can confirm it was listening because the query is explicitly rejected, not timed-out.

            [25.03-BETA][root@pfSense.bhf.tld]/root: sockstat -6 | grep ":53"
            unbound unbound 53479 3 udp6 *:53 :
            unbound unbound 53479 4 tcp6 *:53 :

            means "all exiting interfaces", for TCP and UDP.

            I recently restarted it because the problem recurred, next time it happens I will run tcpdump and upload a capture of the transaction(s).

            When you raise the resolver (unbound) log setting to 'very verbose', can you see the IPv6 request arriving @unbound ?
            Don't forget to set the log setting back, as it produces a lot of info.

            Next time it happens I'll also do this.

            pfSense CE on Beelink EQ12 (N100 CPU, dual 2.5Gbe Intel NICs)
            Hitron CODA56 - Comcast 2.5Gb cable

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.