Unbound DNS on IPV6

RayG rgsub1 at btinternet.com
Sat Aug 11 15:38:56 UTC 2018


Hi,

 

First apologies for the length of the post.

 

Following on from my experiments with UDP/TCP I have been trying to verify
that the private addresses for IPV6 I have set up were working as expected. 

 

                private-address: ::/128          # Unspecified address

                private-address: ::1/128         # Loopback Localhost

                private-address: 2001:db8::/32   # Documentation network
IPv6

                private-address: 2001:10::/28     # Overlay Routable
Cryptographic Hash IDentifiers (ORCHID) addresses

                private-address: fc00::/7        # Unique local address
(ULA) part of "fc00::/7", not defined yet

                private-address: fe80::/10       # Link-local address (LLA)

?              private-address: ::ffff:0:0/96

?              private-address: ::ffff/96

 

? = not sure which is correct.

 

>From this page I gleaned (and I hope I have this correct):

https://www.ripe.net/manage-ips-and-asns/ipv6/ipv6-address-types/ipv6-addres
s-types

 

That the addresses above should never appear on the internet and as such are
"private" and setting them in the config file as above should ensure that
DNS rebinding attacks cannot happen on IPV6. At least that is what I think
this is all about. 

 

(

For IPV4, I am happy that I have these correctly configured and my checks
bear this out.

                private-address: 127.0.0.0/8    # Loopback Localhost

                private-address: 10.0.0.0/8

                private-address: 172.16.0.0/12

                private-address: 192.168.0.0/16

                private-address: 169.254.0.0/16

)

 

As you may have gathered I am not really an expert in the set up so I try to
verify what I am doing from what I can glean from commands I can use, the
internet and helpful people like yourselves.

 

To this end I thought OK lets turn off unbound's IPV4 capability (My router
and network support IPV6) but as you can see below by pinging the root
servers. However when I try to do a lookup unbound gives me a SRVFAIL

 

C:\>nslookup www.adobe.com

Server:  localhost

Address:  ::1

 

*** localhost can't find www.adobe.com: Server failed

 

C:\>dig www.adobe.com

 

; <<>> DiG 9.12.2-P1 <<>> www.adobe.com

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 24704

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

 

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;www.adobe.com.                 IN      A

 

;; Query time: 1187 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Sat Aug 11 16:04:02 GMT Summer Time 2018

;; MSG SIZE  rcvd: 42

 

C:\>ping 2001:503:d414::30

 

Pinging 2001:503:d414::30 with 32 bytes of data:

Reply from 2001:503:d414::30: time=152ms

Reply from 2001:503:d414::30: time=152ms

Reply from 2001:503:d414::30: time=152ms

Reply from 2001:503:d414::30: time=151ms

 

Ping statistics for 2001:503:d414::30:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 151ms, Maximum = 152ms, Average = 151ms

 

The address above is one of the root servers: f.gtld-servers.net.

 

C:\>dig -x 2001:503:d414::30

 

; <<>> DiG 9.12.2-P1 <<>> -x 2001:503:d414::30

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2502

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 1

 

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;0.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.1.4.d.3.0.5.0.1.0.0.2.ip6.arpa.
IN PTR

 

;; ANSWER SECTION:

0.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.1.4.d.3.0.5.0.1.0.0.2.ip6.arpa.
86303 IN PTR f.gtld-servers.net.

 

;; AUTHORITY SECTION:

4.1.4.d.3.0.5.0.1.0.0.2.ip6.arpa. 86301 IN NS   a3.verisigndns.com.

4.1.4.d.3.0.5.0.1.0.0.2.ip6.arpa. 86301 IN NS   a2.verisigndns.com.

4.1.4.d.3.0.5.0.1.0.0.2.ip6.arpa. 86301 IN NS   a1.verisigndns.com.

 

;; Query time: 15 msec

;; SERVER: ::1#53(::1)

;; WHEN: Sat Aug 11 16:08:28 GMT Summer Time 2018

;; MSG SIZE  rcvd: 199

 

Doing a lookup using my routers DNS server you can see works (but that is
using IPV4) but the info returned shows that the ping works. IPV6 is alive
and kicking.

 

C:\>nslookup www.microsoft.com 192.168.10.1

Server:  Router

Address:  192.168.10.1

 

Non-authoritative answer:

Name:    e13678.dspb.akamaiedge.net

Addresses:  2a02:26f0:13b:38b::356e

          2a02:26f0:13b:38f::356e

          84.53.169.145

Aliases:  www.microsoft.com

          www.microsoft.com-c-3.edgekey.net

          www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

 

So we can see www.microsoft.com <http://www.microsoft.com>  is pingable via
IPV6

 

C:\>ping 2a02:26f0:13b:38f::356e

 

Pinging 2a02:26f0:13b:38f::356e with 32 bytes of data:

Reply from 2a02:26f0:13b:38f::356e: time=9ms

Reply from 2a02:26f0:13b:38f::356e: time=9ms

Reply from 2a02:26f0:13b:38f::356e: time=10ms

Reply from 2a02:26f0:13b:38f::356e: time=9ms

 

Ping statistics for 2a02:26f0:13b:38f::356e:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 9ms, Maximum = 10ms, Average = 9ms

 

Then I thought lets try this to ty and prove IPV6 can do DNS resolution

 

C:\>dig @f.gtld-servers.net. -6 www.microsoft.com

 

; <<>> DiG 9.12.2-P1 <<>> @f.gtld-servers.net. -6 www.microsoft.com

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9354

;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 9

;; WARNING: recursion requested but not available

 

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;www.microsoft.com.             IN      A

 

;; AUTHORITY SECTION:

microsoft.com.          172800  IN      NS      ns3.msft.net.

microsoft.com.          172800  IN      NS      ns1.msft.net.

microsoft.com.          172800  IN      NS      ns2.msft.net.

microsoft.com.          172800  IN      NS      ns4.msft.net.

 

;; ADDITIONAL SECTION:

ns3.msft.net.           172800  IN      A       193.221.113.53

ns3.msft.net.           172800  IN      AAAA    2620:0:34::53

ns1.msft.net.           172800  IN      A       208.84.0.53

ns1.msft.net.           172800  IN      AAAA    2620:0:30::53

ns2.msft.net.           172800  IN      A       208.84.2.53

ns2.msft.net.           172800  IN      AAAA    2620:0:32::53

ns4.msft.net.           172800  IN      A       208.76.45.53

ns4.msft.net.           172800  IN      AAAA    2620:0:37::53

 

;; Query time: 156 msec

;; SERVER: 2001:503:d414::30#53(2001:503:d414::30)

;; WHEN: Sat Aug 11 15:45:47 GMT Summer Time 2018

;; MSG SIZE  rcvd: 302

 

C:\>

 

Also this seems to work OK:

 

C:\>nslookup

Default Server:  localhost

Address:  ::1

 

> server 2001:503:d414::30

Default Server:  f.gtld-servers.net

Address:  2001:503:d414::30

 

> www.adobe.com

Server:  f.gtld-servers.net

Address:  2001:503:d414::30

 

Name:    www.adobe.com

Served by:

- adobe-dns-03.adobe.com

          193.104.215.45

          adobe.com

- adobe-dns-01.adobe.com

          192.150.11.56

          adobe.com

- adobe-dns-04.adobe.com

          192.147.130.168

          adobe.com

- adobe-dns-05.adobe.com

          103.43.113.56

          adobe.com

- a10-64.akam.net

          96.7.50.64

          adobe.com

- a28-67.akam.net

          95.100.173.67

          adobe.com

- a26-66.akam.net

          23.74.25.66

          adobe.com

- a7-64.akam.net

          23.61.199.64

          adobe.com

- a1-217.akam.net

          193.108.91.217

          2600:1401:2::d9

          adobe.com

- a13-65.akam.net

          2.22.230.65

          adobe.com

> 

> exit

 

So the question is am I tripping myself up somewhere along the line or is
unbound not working for DNS resolution on IPV6 only?

 

The log file verbosity 4 is here:

https://1drv.ms/u/s!As73rPtzISrUjyCR6j9ArQPW5i5d

 

Regards

Ray

 

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20180811/5bf9c10e/attachment.htm>


More information about the Unbound-users mailing list