Score:1

BIND9 not getting queries over IPv6

ng flag

I'm testing the upgrade of a Debian 10 server to Debian 11. The server runs bind9 as a primary authoritative DNS for a number of domains and on Debian 10 has been working fine for two years. (BIND v.9.11.5) On a new test Debian 11 VPS (BIND 9.16.15), with site specific configuration files copied across (just for 1 test domain for now), bind9 is working normally when queries (A, AAAA, MX) are sent over IPv4, but there is no response when using IPv6.
I have an nftables firewall which allows incoming packets for port 53, and if I turn on firewall logging for UDP dport 53 the IPv6 and IPv4 query packets are all shown.
When bind9 starts up it reports in syslog that it is listening on the IPv6 address.
ss shows the process listening on IPv6.
If I use rndc querylog and watch the log file, the IPv4 queries are logged, but IPv6 queries are not.
It's as if the incoming UDP packets are being lost between the firewall and bind9.
No other process is listening on port 53, because if I stop bind9 from running, ss lists nothing.
Other services (e.g. SSH) work perfectly on IPv6.
My named.conf.options looks like this:

options {
    directory "/var/cache/bind";

  allow-query-cache { none; };
  allow-query { any; };
  recursion no;

    //========================================================================
    // If BIND logs error messages about the root key being expired,
    // you will need to update your keys.  See https://www.isc.org/bind-keys
    //========================================================================

  dnssec-validation auto;

  listen-on-v6 port 53 { any; };

};

So what other tests can I do to resolve this?

(There is a second problem with BIND which may be unrelated: a "permission denied" error during a zone transfer to a secondary DNS.)

stark avatar
mu flag
With bind disabled, listen wth nc6 to see if the packets are dropped by bind or nftables
Anahata avatar
ng flag
@stark Thanks for suggestion. nc -ulp 53 shows IPv4 incoming queries, but not IPv6. (I tried nc -6ulp 53 too) At the same time, nftables logs both. nc is the only thing listening on port 53.
stark avatar
mu flag
Has to be the firewall rules then.
Score:0
ng flag

Fixed by rebooting!
It's possible that I should have done this after an automatic kernel upgrade was done recently. The behaviour certainly wasn't making any sense.

UPDATE: Having run into similar problems again, I now suspect this happened because my system had iptables previously installed by some other software. If iptables is still installed, its rules may persist in the kernel's networking configuration, invisibly to nftables. To fix, I had to both remove the iptables package and clear any iptables rules in the kernel; the latter would have happened when I rebooted.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.