-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bind9 named server interaction with block_ipv6 activated resulting in SERVFAIL queries #2716
Comments
Tried on Win10, but no BIND 9.16.28 (Extended Support Version)
==>
==>
The error message in bind9 should not matter. Dig can receive the answer. |
Win10 has no play in here. And the problem is not if dig is able to receive the answer or not. That's were lies the problem, and I was explaining with this line :
To get more into the detail, one of the root source is the MUSL libc, replacing GLIBC and used on alpine distributions or anything else requiring a lightweight system. Try any alpine image on docker, it will occurs immediately with a simple And as said, more and more applications are using a system backend, if not themselves, executing a simultaneous A + AAAA query. And for your hint to tweak |
That's too much to read, but if what you are saying is that synthetic responses should always have the RA flag, and keep the RD flag of the query like non-synthetic responses, try 8d43ebf |
Thought it was
Seems you already know where the problem is. It is bind9, SERVFAIL in/from bind9. Try Bind9 is a recursive server, but dnscrypt-proxy is not. Setting dnscrypt-proxy as the upstream of bind9 does not seem to be a good practice. |
It is probably the same as the reddit discussion with blacklist
Output of the following commands:
What is affected by this bug?
All IPv6 queries or explicit IPv4+v6 dns record queries are ending in SERVFAIL
When does this occur?
Always, when block_ipv6=true is set in dnscrypt-proxy configuration with a Bind9 dns server in front, dnscrypt-proxy being used as a forwarder.
How do we replicate the issue?
I'm currently having a Bind9 dns servers for the internal network, forwarding external queries to a dnscrypt-proxy server.
IPv6 is not used on the network, thus having it blocked by dnscrypt-proxy.
This usually is working well, but it seems there are more and more applications explicitly querying for both A and AAAA records.
That's when I found that such queries were returned with the SERVFAIL status when coming from dnscrypt-proxy through bind9.
When investigating, I found the following when querying for a AAAA record :
It seems the generated HINT answer from dnscrypt-proxy when blocking ipv6 records is accepted by most clients, but not bind.
When block_ipv6 is active, using "dig" with a direct query to dnscryp-proxy, and one to the windows server, it appeared there's a difference in the answer flags :
Flags: qr aa rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 0
Flags: qr ra; QUERY: 1; ANSWER: 1; AUTHORITY: 1; ADDITIONAL: 0
dnscrypt-proxy is missing these flags in its response : aa (authoritative) and rd (recursion desired) in the HINT generated answer.
So I did some packet capture to confirm this and decode the header content with wireshark :
Windows DNS answer header
dnscrypt-proxy answer header
Both flags are indeed missing from dnscrypt-proxy answer
Expected behavior (i.e. solution)
I suspect that as Bind9 has only dnscrypt-proxy as the only forwarder, it will force the status to failed because the AAAA answer is absent, no recursion was done and the server is not authoritative. And I didn't find in the RFC what is the correct behavior here, if there's one.
But I'm not seeing how to alter the
dns.HINFO
construct in the block_ipv6 plugin of dnscrypt-proxy, to add the "authoritative" and "Recursion desired" flags to check if Bind9 is happy with these.That's the last part I am looking for, I can run a test build if required.
The text was updated successfully, but these errors were encountered: