Unbound DNS on IPV6
RayG
rgsub1 at btinternet.com
Sat Aug 11 15:38:56 UTC 2018
Hi,
First apologies for the length of the post.
Following on from my experiments with UDP/TCP I have been trying to verify
that the private addresses for IPV6 I have set up were working as expected.
private-address: ::/128 # Unspecified address
private-address: ::1/128 # Loopback Localhost
private-address: 2001:db8::/32 # Documentation network
IPv6
private-address: 2001:10::/28 # Overlay Routable
Cryptographic Hash IDentifiers (ORCHID) addresses
private-address: fc00::/7 # Unique local address
(ULA) part of "fc00::/7", not defined yet
private-address: fe80::/10 # Link-local address (LLA)
? private-address: ::ffff:0:0/96
? private-address: ::ffff/96
? = not sure which is correct.
>From this page I gleaned (and I hope I have this correct):
https://www.ripe.net/manage-ips-and-asns/ipv6/ipv6-address-types/ipv6-addres
s-types
That the addresses above should never appear on the internet and as such are
"private" and setting them in the config file as above should ensure that
DNS rebinding attacks cannot happen on IPV6. At least that is what I think
this is all about.
(
For IPV4, I am happy that I have these correctly configured and my checks
bear this out.
private-address: 127.0.0.0/8 # Loopback Localhost
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
)
As you may have gathered I am not really an expert in the set up so I try to
verify what I am doing from what I can glean from commands I can use, the
internet and helpful people like yourselves.
To this end I thought OK lets turn off unbound's IPV4 capability (My router
and network support IPV6) but as you can see below by pinging the root
servers. However when I try to do a lookup unbound gives me a SRVFAIL
C:\>nslookup www.adobe.com
Server: localhost
Address: ::1
*** localhost can't find www.adobe.com: Server failed
C:\>dig www.adobe.com
; <<>> DiG 9.12.2-P1 <<>> www.adobe.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 24704
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.adobe.com. IN A
;; Query time: 1187 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Aug 11 16:04:02 GMT Summer Time 2018
;; MSG SIZE rcvd: 42
C:\>ping 2001:503:d414::30
Pinging 2001:503:d414::30 with 32 bytes of data:
Reply from 2001:503:d414::30: time=152ms
Reply from 2001:503:d414::30: time=152ms
Reply from 2001:503:d414::30: time=152ms
Reply from 2001:503:d414::30: time=151ms
Ping statistics for 2001:503:d414::30:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 151ms, Maximum = 152ms, Average = 151ms
The address above is one of the root servers: f.gtld-servers.net.
C:\>dig -x 2001:503:d414::30
; <<>> DiG 9.12.2-P1 <<>> -x 2001:503:d414::30
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2502
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;0.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.1.4.d.3.0.5.0.1.0.0.2.ip6.arpa.
IN PTR
;; ANSWER SECTION:
0.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.1.4.d.3.0.5.0.1.0.0.2.ip6.arpa.
86303 IN PTR f.gtld-servers.net.
;; AUTHORITY SECTION:
4.1.4.d.3.0.5.0.1.0.0.2.ip6.arpa. 86301 IN NS a3.verisigndns.com.
4.1.4.d.3.0.5.0.1.0.0.2.ip6.arpa. 86301 IN NS a2.verisigndns.com.
4.1.4.d.3.0.5.0.1.0.0.2.ip6.arpa. 86301 IN NS a1.verisigndns.com.
;; Query time: 15 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sat Aug 11 16:08:28 GMT Summer Time 2018
;; MSG SIZE rcvd: 199
Doing a lookup using my routers DNS server you can see works (but that is
using IPV4) but the info returned shows that the ping works. IPV6 is alive
and kicking.
C:\>nslookup www.microsoft.com 192.168.10.1
Server: Router
Address: 192.168.10.1
Non-authoritative answer:
Name: e13678.dspb.akamaiedge.net
Addresses: 2a02:26f0:13b:38b::356e
2a02:26f0:13b:38f::356e
84.53.169.145
Aliases: www.microsoft.com
www.microsoft.com-c-3.edgekey.net
www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
So we can see www.microsoft.com <http://www.microsoft.com> is pingable via
IPV6
C:\>ping 2a02:26f0:13b:38f::356e
Pinging 2a02:26f0:13b:38f::356e with 32 bytes of data:
Reply from 2a02:26f0:13b:38f::356e: time=9ms
Reply from 2a02:26f0:13b:38f::356e: time=9ms
Reply from 2a02:26f0:13b:38f::356e: time=10ms
Reply from 2a02:26f0:13b:38f::356e: time=9ms
Ping statistics for 2a02:26f0:13b:38f::356e:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 9ms, Maximum = 10ms, Average = 9ms
Then I thought lets try this to ty and prove IPV6 can do DNS resolution
C:\>dig @f.gtld-servers.net. -6 www.microsoft.com
; <<>> DiG 9.12.2-P1 <<>> @f.gtld-servers.net. -6 www.microsoft.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9354
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 9
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.microsoft.com. IN A
;; AUTHORITY SECTION:
microsoft.com. 172800 IN NS ns3.msft.net.
microsoft.com. 172800 IN NS ns1.msft.net.
microsoft.com. 172800 IN NS ns2.msft.net.
microsoft.com. 172800 IN NS ns4.msft.net.
;; ADDITIONAL SECTION:
ns3.msft.net. 172800 IN A 193.221.113.53
ns3.msft.net. 172800 IN AAAA 2620:0:34::53
ns1.msft.net. 172800 IN A 208.84.0.53
ns1.msft.net. 172800 IN AAAA 2620:0:30::53
ns2.msft.net. 172800 IN A 208.84.2.53
ns2.msft.net. 172800 IN AAAA 2620:0:32::53
ns4.msft.net. 172800 IN A 208.76.45.53
ns4.msft.net. 172800 IN AAAA 2620:0:37::53
;; Query time: 156 msec
;; SERVER: 2001:503:d414::30#53(2001:503:d414::30)
;; WHEN: Sat Aug 11 15:45:47 GMT Summer Time 2018
;; MSG SIZE rcvd: 302
C:\>
Also this seems to work OK:
C:\>nslookup
Default Server: localhost
Address: ::1
> server 2001:503:d414::30
Default Server: f.gtld-servers.net
Address: 2001:503:d414::30
> www.adobe.com
Server: f.gtld-servers.net
Address: 2001:503:d414::30
Name: www.adobe.com
Served by:
- adobe-dns-03.adobe.com
193.104.215.45
adobe.com
- adobe-dns-01.adobe.com
192.150.11.56
adobe.com
- adobe-dns-04.adobe.com
192.147.130.168
adobe.com
- adobe-dns-05.adobe.com
103.43.113.56
adobe.com
- a10-64.akam.net
96.7.50.64
adobe.com
- a28-67.akam.net
95.100.173.67
adobe.com
- a26-66.akam.net
23.74.25.66
adobe.com
- a7-64.akam.net
23.61.199.64
adobe.com
- a1-217.akam.net
193.108.91.217
2600:1401:2::d9
adobe.com
- a13-65.akam.net
2.22.230.65
adobe.com
>
> exit
So the question is am I tripping myself up somewhere along the line or is
unbound not working for DNS resolution on IPV6 only?
The log file verbosity 4 is here:
https://1drv.ms/u/s!As73rPtzISrUjyCR6j9ArQPW5i5d
Regards
Ray
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20180811/5bf9c10e/attachment.htm>
More information about the Unbound-users
mailing list