-
-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
stub-resolv.conf doesn't seem to work with ipv6 #12159
Comments
iirc "dig -6" uses IPv6 as transport, but the resolved stub doesn't listen on ipv6. That's because on ipv4 we have a whole subnet for the local host (127.0.0.0/8) while on IPv6 a single address only. On IPv4 we can thus pick an ip address from that range (127.0.0.53) to listen on, leaving the usual 127.0.0.1 everybody uses unaffected, and allowing something else to listen on that. On IPv6 all that is not possible, since there's only one address, and hence we opted not to listen on it at all given that it shouldn't matter what local address to listen on. After all the stub traffic never leaves the machine, hence why does it matter if it listens on ipv4 or ipv6? So, what are you trying to do? And why does it matter if ipv4 or ipv6 is used to contact the local dns stub resolver? |
@poettering I was following what was recommended in the man file. I'm not actually 100% sure what "resolved stub" does This file is something that appears to be new since I don't ever remember reading about the file before. Specifically this bit in
I had a Nextcloud setup working just fine but the issue popped up when I tried to install ClamAV and it gave me I'm probably misunderstanding the man page. Maybe the man page should be updated to be more clear about what "/run/systemd/resolve/stub-resolv.conf" is for and that IPv6 DNS is not supported. Can someone please explain what "stub-resolv.conf" is for? Why was it added? |
I have switched the symlink back to |
I spoke too soon, I'm now seeing a lot of these kind of messages.
|
You apparently turned on DNSSEC validation but your local DNS server doesn#t actually support that. Turn it off. Again, why did you use "dig -6" instead of regular "dig"? |
@poettering ok so DNSSEC validation is a OpenWRT issue. As it should just be forwarding DNS requests, I'll look into that. I used 'dig' and 'dig -6' because I wanted to see both IPv4 and IPv6 connections working. I'm supposed to have both IPs from my ISP. |
@poettering so what does the local "DNS stub resolver" do exactly then? And why is it "recommended" in the man page? I thought unless you wanted some special DNS enteries for yourself that there wasn't a DNS server of any kind running under Linux by default. Everything went to the LAN router or a external DNS server like what Google hosts. |
@poettering any answers to my last post? |
Using
The benefits to using systemd-resolved as an intermediary are numerous. You encountered one of them: if enabled, systemd-resolved will enforce DNSSEC on every outbound DNS request, otherwise, whether DNSSEC is enforced is application specific.
In both of these situations almost all of the requests are still being sent to an external DNS server. If you want to test IPv6 connectivity, use something like |
So it turns out part of the issue was my system date was way out of sync. That can be blamed on having that system off for some time and "systemd-timesyncd" not wanting to update a system time that is weeks out of sync. I had to manually update the time with 'timedatectl' before "systemd-timesyncd" took over. I can thank folks at the #ArchLinux IRC channel over at Freenode for helping me finally find my glaring error. Other issue with OpenWrt was solved by updating to the latest stable firmware, 18.06.2 at the time. Then removing 'dnsmaq' and 'odhcpd-ipv6only' packages installed by default and installing the 'dnsmasq-full' package. Then making sure the DNSSEC options were switched on, which at the time is below. Adding the following two lines to /etc/config/dhcp
@carloabelli Before I go and close this as solved and just 'user confusion', I want to make one thing clear. Making use of "/run/systemd/resolve/stub-resolv.conf" will still allow my system to resolve IPv6 enabled domain name addresses? |
Yes, resolving IPv6 enabled domains (querying AAAA records) is entirely independent of the IP version used to access the DNS server. A client with only IPv4 connectivity can still retrieve AAAA records (but they are going to be pretty useless). Note that if you only have IPv6 connectivity, just make sure systemd-resolved has IPv6 DNS servers listed under resolvectl. The local query will still be IPv4, but the external query will be done with IPv6. |
@carloabelli Thank you for helping me with the confusion I had. It didn't help I had a misconfigured system in the process. Anyways I'm now going to close this issue ticket. Issue was user confusion and user error. Solved because a few people on IRC pointed out issues with how I had my system set up and @carloabelli finally helped me understand what "stub-resolv" is for. Things appear to be working correctly from my viewpoint. |
@carloabelli I have an interesting case. The system has only IPv6 connectivity. The systemd-resolved is configured to use stub-resolv.conf file. And the DNS server is coming from DHCP. |
It isn't specific to dig, all tools do this. I currently can't connect to a remote server with "ssh -6" because that doesn't resolve (same reason as dig), and I need to force IPv6 for this connection since that server has an IPv4 config issue at the moment, and can't be reached via IPv4. |
No this is only an issue for dig since in this case |
Running Arch Linux here. I'm finding it difficult to figure this out. I have both systemd-networkd and systemd-resolved enabled on my system and a single config for a Ethernet connection. My system is headless and I'm connected over LAN via SSH.
It's mentioned that it's recommended to use /run/systemd/resolve/stub-resolv.conf with a symlink. But it doesn't seem to work with IPv6. things like "dig -6 google.com" fail.
Am I doing something wrong, how do I set this up with both IPv4 and IPv6? I have a IPv4 and IPv6 IP from my ISP and IPv6 connections work on a different system on the same LAN with GUI and NetworkManager
0 lrwxrwxrwx 1 root root 37 Mar 31 07:27 /etc/resolv.conf -> /run/systemd/resolve/stub-resolv.conf
/etc/systemd/resolved.conf.d/override.conf
The text was updated successfully, but these errors were encountered: