[nsd-users] NSD not reachable over IPv6 without ip-address option
Anand Buddhdev
anandb at ripe.net
Sat Jan 7 09:39:11 UTC 2023
Hi Pim,
This issue comes up quite frequently.
If you don't configure NSD to bind to a specific IPv6 address, then when
it is constructing a DNS response packet, it doesn't set the source
address in it. It passes the packet to the OS, which then selects a
route for the packet, and sets the source address appropriate for that
route. If you have multiple interfaces on the server, or multiple IPv6
addresses on an interface, then the OS can pick the wrong one, and the
client will receive a DNS reply from an address it wasn't expecting, and
probably discard it.
It is good practice to make your NSD server bind explicitly to the
addresses that it's supposed to listen to and reply from.
Regards,
Anand
On 06/01/2023 18:41, Pim Kunis via nsd-users wrote:
> Hi,
>
> I have a dual-stack IPv4/IPv6 server on which I run NSD. However,
> without adding the "ip-address" option in nsd.conf, NSD does not respond
> to IPv6 queries. It does respond to IPv4 queries. Also, it does respond
> to requests from the same machine to ::1.
>
> Below you can see that the NSD is indeed listening to UDP port 53 on
> IPv6 on the wildcard address:
>
>> root at lewis:/etc/nsd# ss -ulpn sport inet6:53
>> State Recv-Q Send-Q Local
>> Address:Port Peer
>> Address:Port Process
>> UNCONN 0 0 [::]:53 [::]:* users:(("nsd: server
>> 4",pid=16052,fd=4),("nsd: server 3",pid=16051,fd=4),("nsd: server
>> 2",pid=16050,fd=4),("nsd: server 1",pid=16049,fd=4),("nsd:
>> main",pid=16048,fd=4),("nsd: xfrd",pid=16046,fd=4))
>
> Does anybody know what could be the problem?
>
> Kind regards,
>
> Pim Kunis
More information about the nsd-users
mailing list