9

Our office network is internally dual-stack, but the connection to the rest of the Internet is IPv4-only. I've got BIND 9.9 set up on a Linux box to handle DNS resolution.

Is there a way to configure BIND to prefer to use IPv4 when contacting other DNS servers without disabling IPv6? I'd like to leave IPv6 enabled so everything Just Works once we get an IPv6 connection to the outside world, but without clogging the logs with error (network unreachable) resolving 'microsoft.com/DS/IN': 2001:7fd::1#53 messages in the meantime.

Mark
  • 668
  • 4
  • 10
  • 3
    Not sure how you could handle it in bind. But you can adjust the linux or Windows clients to prefer IPv4 instead of IPv6. `/etc/gai.conf` or https://superuser.com/a/436944/2057 – Zoredache Mar 29 '17 at 22:15
  • Can you get a hurricane electric tunnel or something? – thrig Mar 29 '17 at 22:33
  • More to the point, can you remove the default IPv6 route? – Michael Hampton Mar 30 '17 at 02:48
  • is it always searching for DS records? or NS as well, may be a bug with dnssec validation – Jacob Evans Mar 30 '17 at 03:37
  • @JacobEvans, it's the full range of record types: I've seen A, AAAA, and others all go by. The log entry I grabbed for an example just happened to be a DS record. – Mark Mar 30 '17 at 04:41
  • I think you need to either use v4 forwarders like google or opendns, set the system preference to v4 over v6, or disable v6 lookup with `OPTIONS="-4"` being the least preferred. honestly, just use a forwarder or deal with the errors. – Jacob Evans Apr 02 '17 at 15:17
  • @Mark: did you ever find a solution to this problem? – Tommiie Sep 03 '18 at 18:19
  • @Tom, no. I should probably take another look now that I'm using BIND 9.10, but I don't expect to find anything. – Mark Sep 10 '18 at 19:49

2 Answers2

2

Can't remember where I found this solution, but here it is

In /etc/bind/named.conf.local:

// disable lookup over IPv6
server ::/0 {
        bogus yes;
};

It then pretends that IP addresses in the IPv6 range are non reachable and does it with IPv4 instead.

Fredrik
  • 540
  • 2
  • 13
  • This sounds like it will disable lookup over IPv6 entirely, while I'm asking about preferring IPv4 while still using IPv6 if available. – Mark Feb 09 '21 at 04:21
  • "Only the most specific server clause applies regardless of the order in named.conf." - @Mark - you should be able to have more specific server blocks with `bogus no` for your internal servers. You can just have one for your internal network and the above will cover Internet at large to which you don't have IPv6 connectivity. – Tomek May 14 '21 at 06:02
  • you should put it out side of `option {};` section. – SdSaati Sep 09 '21 at 00:53
-3

I suggest changing the clients, not the DNS server. clients usually ask for DNS entries by requesting A and/or AAAA records. there is a sorting algorithm to prefer V6 over V4 if there are both answers from DNS. every connection is effectively made by the clients.

to prefer IPv4 over V6 so can set

precedence ::ffff:0:0/96  100

in /etc/gai.conf on every client. this works at least on GNU/Linux. I don't know how to make Windows to do this.

HTH

StefanKaerst
  • 175
  • 5
  • The problem isn't that clients are requesting AAAA records, it's that the server is trying to make IPv6 connections to other DNS servers, and then falling back to IPv4 when that fails. – Mark Apr 12 '21 at 20:35
  • this is an expected behavior. according to https://tools.ietf.org/html/rfc6724 _Well-behaved applications SHOULD NOT simply use the first address returned from an API such as getaddrinfo() and then give up if it fails. For many applications, it is appropriate to iterate through the list of addresses returned from getaddrinfo() until a working address is found._ if you dont want your DNS server to try all IP addresses starting with V6, than change /etc/gai.conf to prefer IPv4. or change its /etc/resolv.conf to use V4 addresses only. – StefanKaerst Apr 13 '21 at 04:45
  • @StefanKaerst it wasn't asked for that - it was asked, how bind can be restricted to answer IPv4 only - and at that point, your answer does not fit – djdomi Jun 06 '23 at 16:20
  • if you have control over the server running Bind DNS service, you could simply change `/etc/gai.conf` there as well. – StefanKaerst Jun 11 '23 at 05:21
  • btw. "microsoft.com/DS/IN" looks like DS record of DNSSEC https://en.wikipedia.org/wiki/List_of_DNS_record_types maybe it's worth trying to disable DNSSEC for this BIND service. – StefanKaerst Jun 11 '23 at 05:38