0

I am trying to prevent a webserver to do IPv6 lookups (AAAA) to the DNS-server. The webserver has no IPv6 addresses set-up on the interfaces. Disabling IPv6 in sysctl.conf had no impact either, the webserver keeps sending both A and AAAA requests for every hostname to the DNS server (I performed a tcpdump).

Can anyone help me with stopping the webserver to send out IPv6 hostname lookups?

Extra information:
This is on my internal network. TCPDump:

webserver.internal.43831 > internaldns.internal.domain: [bad udp cksum 629d!] 63585+ A? someserver.internal. (43)`  
webserver.internal.43831 > internaldns.internal.domain: [bad udp cksum 32dd!] 40337+ AAAA? someserver.internal. (43)

internaldns returns the IP for the A-record and NXDOMAIN for the AAAA, as there isn't set one.

voretaq7
  • 79,879
  • 17
  • 130
  • 214
Jeroen
  • 1,341
  • 7
  • 16
  • 1
    And why do you want to set up something you'll just have to undo later? – Michael Hampton Oct 11 '12 at 14:56
  • 1
    @MichaelHampton Maybe `IP` is like Windows, and they're hoping to skip Vista/v6 and just deploy IPv7 when it comes out. Admit it, IPVista does sound pretty horrible. – HopelessN00b Oct 11 '12 at 16:19
  • 1
    After your edit, I see that you haven't actually described a problem. This is normal and expected behavior, and **should not be changed**. – Michael Hampton Oct 11 '12 at 16:45
  • Your tcpdump output shows only the queries, not the replies. If the name server actually replies NXDOMAIN to the AAAA, it means it is horribly broken and should be fixed. the name exists, it just does not have a AAAA record. The proper reply is therefore NOERROR with no answer. – bortzmeyer Oct 11 '12 at 20:27
  • Not sure what problem you're trying to handle. If you just don't want the requests going anywhere you could always firewall the outgoing packets. Otherwise you could delve into the source code for webserver application, but that's probably farther down the rabbit hole than you're willing to go for this. – Peter Oct 15 '12 at 19:50

1 Answers1

4

There is no reason to disable IPv6 AAAA lookups (at least none you've given us), so my answer to you is please stop trying to outsmart your system and let it work the way it's intended to.

By disabling IPv6 lookups now you're just setting yourself up for mysterious problems in the future when you add IPv6 to your environment and suddenly some systems aren't working properly.
The negligible cost of a few bytes in a spurious DNS request is far outweighed by the predictability/correctness of your environment in the future.

That said, if you still want to play with this foot-gun the easiest solution (in fact the only one I'm aware of) is to compile and install a resolver which is not IPv6 aware.

If you do such a horrible thing ensure that it is well documented in no fewer than 5 places (Your site's documentation repository, MOTD/issue, SSH banner, a sticker on the machine itself, and in a memo to your boss) so that when it breaks in the future there's a chance someone will be able to fix it quickly, without having to figure out that the machine was lobotomized.

voretaq7
  • 79,879
  • 17
  • 130
  • 214
  • Refer to RFC 4472, section '5.2 DNS Lookups May Query IPv6 Records Prematurely' - it's a very common problem with IPv4 single stack hosts. – Alexander Janssen Oct 11 '12 at 16:11
  • @AlexanderJanssen It's not really a *problem*: The querying host will be told `NXDOMAIN` (or given a v6 address which it can't/won't use because it doesn't have a v6 stack). A properly configured system won't notice any ill effects, and a misconfigured system should be fixed, not hacked on... – voretaq7 Oct 11 '12 at 16:37
  • The most relevant comment in that RFC is `These issues should be analyzed at more depth, and the fixes found consensus on, perhaps in a separate document.` - to my knowledge that hasn't happened yet. In absence of that consensus and proper (documented, vendor-supported) ways to disable the v6 lookups living with a few spurious AAAA queries is the lesser of two evils IMHO. – voretaq7 Oct 11 '12 at 16:39
  • It should also be documented in the company newsletter and the 10-Q. – Michael Hampton Oct 11 '12 at 16:46
  • I can't connect to IPv6 from a host, and now the resolution to it fails and the servers on there can't connect to the IPv4, as they keep getting IPv6 records on the ANY query ;( Now I need to recompile distribution packages for that reason? I'd rather fix the problem on the system level to get things working! – Hvisage Mar 04 '21 at 20:47
  • This is a self biased _suggestion_ not an _answer_. – Alireza Mohamadi Jan 01 '22 at 08:31