DNS64: reverse lookups fail when using ULA prefix
Wouter Wijngaards
wouter at nlnetlabs.nl
Wed Feb 19 14:04:40 UTC 2020
Hi Maurice,
The setting
local-zone: "d.f.ip6.arpa." nodefault
is a more granular method to unblock the part that is needed for you.
Because in fact the dns64 prefix is more specific, it would be a good
idea to perhaps keep the default, local-zone: "d.f.ip6.arpa." static,
with a more specific cut-out: local-zone: "8.b.d.0.1.0.d.f.ip6.arpa."
transparent. You may also need domain-insecure:
"8.b.d.0.1.0.d.f.ip6.arpa." or domain-insecure: "d.f.ip6.arpa." to make
it work.
I am not sure what works with dns64, but these are the local-zone
options that you seem to be getting at with the unblock-lan-zones option.
Best regards, Wouter
On 19/02/2020 14:51, Maurice Walker via Unbound-users wrote:
> Hello,
>
> When using the default DNS64 prefix, reverse lookups for synthesized addresses
> work. For example, a reverse lookup for 64:ff9b::185.49.140.10 properly
> resolves to PTR dicht.nlnetlabs.nl and PTR open.nlnetlabs.nl.
>
> Same behavior when setting dns64-prefix to a GUA prefix.
>
> But when using a ULA prefix ("dns64-prefix: fd01:db8::/96"), reverse lookups
> fail (NXDOMAIN).
>
> - Is this behavior intentional? The cause most likely is filtering of reverse
> lookups for private address space. But shouldn't the dns64-prefix be
> excluded from such filtering?
> - If it is indeed intentional, what would be the best way to work around it?
> Setting "unblock-lan-zones: yes" does the trick, but seems a bit too radical.
>
> Cheers,
> Maurice
>
More information about the Unbound-users
mailing list