[nsd-users] NSD not reachable over IPv6 without ip-address option
Jim Popovitch
jimpop at domainmail.org
Sat Jan 7 14:46:38 UTC 2023
On Sat, 2023-01-07 at 10:39 +0100, Anand Buddhdev via nsd-users wrote:
> This issue comes up quite frequently.
>
> If you don't configure NSD to bind to a specific IPv6 address, then when
> it is constructing a DNS response packet, it doesn't set the source
> address in it. It passes the packet to the OS, which then selects a
> route for the packet, and sets the source address appropriate for that
> route. If you have multiple interfaces on the server, or multiple IPv6
> addresses on an interface, then the OS can pick the wrong one, and the
> client will receive a DNS reply from an address it wasn't expecting, and
> probably discard it.
>
> It is good practice to make your NSD server bind explicitly to the
> addresses that it's supposed to listen to and reply from.
Alternatively, If your IP stack is static and you only have one IPv4 and
one IPv6, then you can use do-ip4 and do-ip6 and you don't need to
specify specific IP addresses in nsd.conf
server:
do-ip4: yes
do-ip6: yes
-Jim P.
More information about the nsd-users
mailing list