Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unbound: force queries on ipv4 only #6526

Closed
stephdl opened this issue Jun 15, 2021 · 4 comments
Closed

Unbound: force queries on ipv4 only #6526

stephdl opened this issue Jun 15, 2021 · 4 comments
Labels
verified All test cases were verified successfully

Comments

@stephdl
Copy link

stephdl commented Jun 15, 2021
edited

With nethserver-mail stack we use unbound mainly for rspamd, but the default option let opened to resolve queries from ipv6

Proposed solution

The proposed solution is to force inbound to resolve only on ipv6

from man unbound.conf

       do-ip4: <yes or no>
              Enable or disable whether ip4 queries are answered or issued. Default is yes.

       do-ip6: <yes or no>
              Enable or disable whether ip6 queries are answered or issued. Default is yes.  If disabled, queries are not answered on IPv6,  and  queries  are  not sent  on  IPv6 to the internet nameservers.  With this option you can disable the ipv6 transport for sending DNS traffic, it does not impact the contents of the DNS traffic, which may have ip4 and ip6 addresses in it.

With the work of @jenszo we have a pull request : NethServer/nethserver-unbound#3

thank @jenszo
@stephdl stephdl mentioned this issue Jun 15, 2021
Merged
gsanchietti added a commit to NethServer/nethserver-unbound that referenced this issue Jun 16, 2021
@gsanchietti
Merge pull request #3 from jenszo/jenszo-disable-ipv6-nethserver7
87fa0b0 
Explicitly disabling IPv6 - no support by Nethserver 7.x

NethServer/dev#6526
@nethbot
Copy link
Member

nethbot commented Jun 16, 2021

in 7.9.2009/testing:

@gsanchietti
Copy link
Member

gsanchietti commented Jun 16, 2021
edited

Test case 1
Check unbound can still reply with queries containing ipv6 address, example:

dig  -t AAAA www.google.com @localhost -p 10053

Test case 2

  • Disable IPv6: 
    sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1
  • Verify unbound can still be started

@gsanchietti gsanchietti added the testing Packages are available from testing repositories label Jun 16, 2021
@stephdl stephdl self-assigned this Jun 18, 2021
@stephdl
Copy link
Author

stephdl commented Jun 18, 2021
edited

case 1 et case 2 verified

rpm version nethserver-unbound-1.1.0-1.4.g87fa0b0.ns7.noarch


case 1


[root@ns7loc2 ~]# dig  -t AAAA www.google.com @localhost -p 10053

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.5 <<>> -t AAAA www.google.com @localhost -p 10053
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24435
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com.			IN	AAAA

;; ANSWER SECTION:
www.google.com.		300	IN	AAAA	2a00:1450:4007:808::2004

;; Query time: 83 msec
;; SERVER: 127.0.0.1#10053(127.0.0.1)
;; WHEN: Fri Jun 18 16:39:39 CEST 2021
;; MSG SIZE  rcvd: 71


case 2 

disable ipv6

[root@ns7loc2 ~]# sysctl -w net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.all.disable_ipv6 = 1

[root@ns7loc2 ~]# sysctl -w net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6 = 1

restart unbound and verify status 

[root@ns7loc2 ~]# systemctl restart unbound

[root@ns7loc2 ~]# systemctl status  unbound
● unbound.service - Unbound recursive Domain Name Server
   Loaded: loaded (/usr/lib/systemd/system/unbound.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2021-06-18 16:40:30 CEST; 6s ago
  Process: 5412 ExecStartPre=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem (code=exited, status=0/SUCCESS)
  Process: 5410 ExecStartPre=/usr/sbin/unbound-checkconf (code=exited, status=0/SUCCESS)
 Main PID: 5415 (unbound)
   CGroup: /system.slice/unbound.service
           └─5415 /usr/sbin/unbound -d

Jun 18 16:40:30 ns7loc2.nethservertest.org systemd[1]: Starting Unbound recursive Domain Name Server...
Jun 18 16:40:30 ns7loc2.nethservertest.org unbound-checkconf[5410]: unbound-checkconf: no errors in /etc/unbound/unbound.conf
Jun 18 16:40:30 ns7loc2.nethservertest.org systemd[1]: Started Unbound recursive Domain Name Server.
Jun 18 16:40:30 ns7loc2.nethservertest.org unbound[5415]: [5415:0] notice: init module 0: subnet
Jun 18 16:40:30 ns7loc2.nethservertest.org unbound[5415]: [5415:0] notice: init module 1: validator
Jun 18 16:40:30 ns7loc2.nethservertest.org unbound[5415]: [5415:0] notice: init module 2: iterator
Jun 18 16:40:30 ns7loc2.nethservertest.org unbound[5415]: [5415:0] info: start of service (unbound 1.6.6).

verify it is still running

[root@ns7loc2 ~]# dig  -t AAAA www.google.com @localhost -p 10053

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.5 <<>> -t AAAA www.google.com @localhost -p 10053
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18381
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com.			IN	AAAA

;; ANSWER SECTION:
www.google.com.		300	IN	AAAA	2a00:1450:4007:808::2004

;; Query time: 65 msec
;; SERVER: 127.0.0.1#10053(127.0.0.1)
;; WHEN: Fri Jun 18 16:40:42 CEST 2021
;; MSG SIZE  rcvd: 71

@stephdl stephdl removed their assignment Jun 18, 2021
@stephdl stephdl added the verified All test cases were verified successfully label Jun 18, 2021
@gsanchietti gsanchietti removed the testing Packages are available from testing repositories label Jun 21, 2021
@nethbot
Copy link
Member

nethbot commented Jun 21, 2021

in 7.9.2009/updates:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
verified All test cases were verified successfully
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gsanchietti @stephdl @nethbot