Feature #14535
closed
DNS Unbound Resolver will still resolve IPv6 AAAA URLS when LAN and WAN are set to none for IPv6.
0%
Description
Hello fellow redmine members,
I have noticed that the DNS unbound still resolves AAAA ipv6 when the LAN and WAN interface is set to NONE for ipv6, should the DNS unbound resolver auto disable AAAA when WAN is set to none for ipv6 as the LAN will never be able to resolve those?
This is what I have done to fix this issue as I have no IPv6 from ISP.
I still had to add the following into advanced config area of the unbound dns resolver
server:
do-ip4: yes
prefer-ip4: yes
do-ip6: no
prefer-ip6: no
private-address: ::/0
dns64-ignore-aaaa: *.
do-not-query-address: ::
do-not-query-address: ::1
do-not-query-address: ::/0*
Again all that is needed to fix this per John Poz is to add private-address: ::/0 and do-ip6: no prefer-ip6: no to the custom options.
pfSense when set to NONE for IPv6 does not adapt the DNS unbound resolver to also disable IPv6.
When this is left not changed in the DNS unbound the client side browsers all still attempt to access IPv6 URLS, leading to many errors on the client side end.
Can we also add a button to disable ipv6 inside of the unbound DNS resolver?
And or link the WAN to the DNS when it disables also disable AAAA?
My ISP does not provide IPv6 only IPv4.
Files
Updated by Jonathan Lee almost 2 years ago
See attached with custom options only IPv4 address is resolved. Without them it will still show an IPv6 address even with IPv6 set to NONE in WAN interfaces.
Updated by Jim Pingle almost 2 years ago
- Status changed from New to Not a Bug
That's how DNS works.
The clients are requesting A and AAAA records, the service is giving the clients the responses they requested. It's up to the clients to decide what to do/not do with that.
If you want to forcefully disable it, you can do so with custom options as you noted, but it's not a common enough need that we should be adding an official option for it.
Updated by Jonathan Lee almost 2 years ago
If LAN is set to none for IPv6, it technically would never be able to access AAAA correct?
Updated by Chris Linstruth almost 2 years ago
If the router is not saying it is IPv6-capable the clients will not have IPv6 available to use. Every modern IPv4-only host can resolve AAAA records from DNS servers.
Updated by Jim Pingle almost 2 years ago
If the clients don't have working IPv6 they wouldn't use the AAAA results. But you don't know what is making the DNS requests or what it might want with them. Honestly, you don't have to care either. It's better to give clients what they're asking for instead of arbitrarily filtering their results.
If it really bothers you, there is the manual config option, but it's not something I'd recommend.
Updated by Jonathan Lee almost 2 years ago
Thanks for looking at this,
For me all the sudden clients kept trying to use AAAA (IPv6) results. Again, I had so many issues I had to turn it off with the custom options. I noticed in the forum many other users are experiencing the same thing. Yes AAAA (IPv6) is being asked for again my ISP does not offer IPv6 at this time, so it was causing issues until I turned it off. It was as if the browsers wanted IPv6 even with the IPv4 only ISP.
Updated by Chris Linstruth almost 2 years ago
Then they thought they had IPv6 available to use and, properly, tried to use it first. Check the IPv6 configuration on the client and if they have a GUA and a default router, see where they got that configuration.
Updated by Chris Linstruth almost 2 years ago
At this point this discussion is best taken to the forum at https://forum.netgate.com/category/46/ipv6