1

How can I configure my Ubuntu 15.04 bind9 to stop resolving queries with IPv6?

TL;DR

I'm using bind9 on my Ubuntu 15.04 machine. It seems like my named server is trying to resolve alot of queries using IPv6.

29-Jul-2015 01:03:28.926 lame-servers: error (network unreachable) resolving 'vassg.omniroot.com.edgesuite.net/A/IN': 2600:1401:2::2#53
29-Jul-2015 01:03:30.073 lame-servers: error (network unreachable) resolving 'askubuntu.com/A/IN': 2001:503:231d::2:30#53
29-Jul-2015 01:03:30.516 lame-servers: error (network unreachable) resolving 'stackapps.com/A/IN': 2001:503:a83e::2:30#53
29-Jul-2015 01:03:30.533 lame-servers: error (network unreachable) resolving 'stackapps.com/AAAA/IN': 2400:cb00:2049:1::adf5:3b69#53

When googling I ended up with the solution to start the named service in IPv4 mode only by adding a -4 switch. I tried modifying my /etc/default/bind9 into this:

/etc/default/bind9

# run resolvconf?
RESOLVCONF=yes

# startup options for the server
OPTIONS="-4 -u bind"

But I still ended up having alot of failed resolvs using IPv6.

So I checked the switches used to start named with systemd

mippy@heimdal:~/src/servermon$ sudo service bind9 status
● bind9.service - BIND Domain Name Server
   Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled)
  Drop-In: /run/systemd/generator/bind9.service.d
           └─50-insserv.conf-$named.conf
   Active: active (running) since ons 2015-07-29 01:11:44 CEST; 25min ago
     Docs: man:named(8)
  Process: 6879 ExecStop=/usr/sbin/rndc stop (code=exited, status=0/SUCCESS)
 Main PID: 6884 (named)
   CGroup: /system.slice/bind9.service
           └─6884 /usr/sbin/named -f -u bind

So it seems like named is started with /usr/sbin/named -f -u bind. Not what I expected from my /etc/default/bind9.

How can I configure named with -4 switch?

Civing
  • 183
  • 1
  • 7

3 Answers3

7

This is the procedure to update named options after Ubuntus switch to systemd:

cp /lib/systemd/system/bind9.service /etc/systemd/system/bind9.service

edit

/etc/systemd/system/bind9.service

change

ExecStart=/usr/sbin/named -f -u bind

into

ExecStart=/usr/sbin/named -4 -f -u bind

then

systemctl daemon-reload
service bind9 restart

double check that the change has taken effect:

mippy@heimdal:~/src/servermon$ sudo service bind9 status
● bind9.service - BIND Domain Name Server
   Loaded: loaded (/etc/systemd/system/bind9.service; enabled; vendor preset: enabled)
  Drop-In: /run/systemd/generator/bind9.service.d
           └─50-insserv.conf-$named.conf
   Active: active (running) since ons 2015-07-29 11:09:26 CEST; 5min ago
     Docs: man:named(8)
  Process: 20737 ExecStop=/usr/sbin/rndc stop (code=exited, status=0/SUCCESS)
 Main PID: 20742 (named)
   CGroup: /system.slice/bind9.service
           └─20742 /usr/sbin/named -4 -f -u bind

For more information, check out this suse doc page. It should be applicable for us Ubuntu users as well. https://www.suse.com/documentation/sled-12/book_sle_admin/data/sec_boot_systemd_custom.html

Civing
  • 183
  • 1
  • 7
0

Failed ipv6 lookups don't indicate a misconfiguration on the server, but a misconfiguration on the client. Your server, running only with an ipv4 address, will still get DNS requests (AAAA) for ipv6 resolutions. This started happening when the various OS's started enabling ipv6 by default several years back.

Rick Buford
  • 166
  • 5
0

Whilst the answer by @Civing will likely work, it may not be the cleanest way to override bind9's configuration because the entire systemd service definition - rather than just the ExecStart directive which needs overriding - is copied.

A more compact approach to achieve the same thing (for Xenial and later) appears here.

sxc731
  • 307
  • 2
  • 16