systemd-resolvd seems to make up a non-existing AAAA entry?

Question

One of my worker servers is experiencing problems connecting to a central server. This happened suddenly, it worked earlier, and it still works on an identical other worker.

After some inspection the problem turns out to be this:

root@svc1:~# nslookup central.example.com
Server:     127.0.0.53
Address:    127.0.0.53#53

Non-authoritative answer:
Name:   central.example.com
Address: 26.156.133.221
Name:   central.example.com
Address: 64:ff9b::2ea6:1337

systemd-resolvd seems to think that the central server has an ipv6 address. But it doesn't, and never has:

root@svc1:~# dig central.example.com @ns1.example.com in AAAA    
...    
# there is no ANSWER SECTION

I could probably somehow clear the local DNS cache and fix the connection issue. But how could this happen, and how can I prevent it from happening again in the future?

systemd-resolved does not do this by itself. You need to first have a chat with your network administrator. — Michael Hampton, Feb 14 '19 at 23:45
Those two IPv4 addresses are highly suspicious. One is a US military network the other is an eastern European ISP. Two such different IPv4 addresses for the same hostname could indicate a DNS poisoning attempt. And there isn't enough information for me to figure out which of the two is legitimate. Under normal circumstances it should at least have been the same IPv4 address in both cases. — kasperd, Feb 16 '19 at 18:56
Does your worker software follow [RFC 8305](https://tools.ietf.org/html/rfc8305)? If it doesn't, then now would be a good time to make it so. — kasperd, Feb 16 '19 at 19:01
@kasperd Sorry, I changed the actual addresses for "security" reasons, should have mentioned — Bart van Heukelom, Feb 20 '19 at 10:49

score 0 · Answer 1 · answered Feb 14 '19 at 13:18

0

The prefix 64:ff9b:: is the well-known NAT64 prefix. For some reason systemd thinks you're on an IPv6-only network and won't be able to reach an IPv4 address. It therefore tries to be helpful and synthesise a NAT64 address so you might be able to reach the destination through that.

Why systemd does that I do not know :(

answered Feb 14 '19 at 13:18

Sander Steffann

7,712
19
29

Could this be because the worker has a public ipv6 address but a private `10.` ipv4 address (that can still reach the internet via NAT) – Bart van Heukelom Feb 14 '19 at 13:33
It should be smarter than that, but who knows... – Sander Steffann Feb 14 '19 at 17:57
3

systemd doesn't randomly just return NAT64 addresses. They come from a DNS64 server external to the host. – Michael Hampton Feb 15 '19 at 01:52

systemd-resolvd seems to make up a non-existing AAAA entry?

1 Answers1