1

I have (attempted to) set up dnscache on Ubuntu 14.04 (Trusty) to do dual stack for servicing requests AND querying authoritative name servers.

To be clear, I'm using the dbndns package, which has the IPv6 patch by fefe.

I installed the dbndns & dnscache-run packages. I made sure that /etc/service/dnscache/env/IP was 0.0.0.0 and /etc/service/dnscache/env/IPSEND was 0.0.0.0.

I also added our IP ranges in /etc/service/dnscache/root/ip.

I can now load aaaa and a records using dig on another machine over both IPv4 and IPv6. But testipv6.com has a test for loading records from an IPv6 only authoritative name server. To test this, it loads the URL http://ds.v6ns.test-ipv6.com/ip/?callback=?. If I dig the hostname for that, ds.v6ns.test-ipv6.com using 8.8.8.8 (google's IPv6 enabled DNS server), I get an AAAA record back. But doing the same to my dbndns cache (over IPv4 and IPv6) returns no result.

Does IPSEND need to be changed? If so, what to? I don't want to break resolving stuff for IPv4 only authoritative name servers.

Azendale
  • 1,505
  • 2
  • 11
  • 14

2 Answers2

1

I’ve had the same problem, and I found it fixed by upgrading from Fefe’s test23 to his test27 patch; specifically, the diffs to query.c fixed this issue.

This is mostly changes like this:

-dtype = z->level ? DNS_T_A : z->type;
+dtype = z->level ? (z->ipv6[z->level] ? DNS_T_AAAA : DNS_T_A) : z->type;

There’s a missing braces in the if statement around line 950 though (which I’ll report to Fefe now), and you also need to change dtype differently if you have the security patches from http://www.your.org/dnscache/ applied (which you probably should).

I’m maintaining a heavily merged and customised (for support for OpenBSD-style IPv6) flavour of it, but here’s my patch for query.c which should help you merge those.

IPSEND must be :: for this to work, of course. Your mentioned test host ds.v6ns.test-ipv6.com works for me after the change, and fails before, so I’m pretty sure this was it.

mirabilos
  • 679
  • 1
  • 7
  • 20
  • Awesome! Only in the open source world do you sometimes get new code as an answer to your question! I'm on a Linux platform, so I'll have to see if I can figure out if this will work on Linux. (I don't yet know what "OpenBSD-style IPv6" implies.) – Azendale Mar 28 '16 at 20:54
  • “OpenBSD-style IPv6” means “doble stack” as opposed to “dual stack”; the latter is enabled by default in most Linux distros (the Linux kernel can do both, with a global switch) and means you can get v4 connections on a v6 socket (not needing to open two sockets can simplify program flow and is what Fefe did). As long as your `net.ipv6.bindv6only` sysctl is 0 don’t worry about it. – mirabilos Mar 28 '16 at 22:44
-1

it won't work that way unfortunately, even with dbndns patched.

You will need two instances of dnscache for it to work, one with specific IPv4 address (using it as you did before), and one with specific IPv6 address:

root@fw0:/service# grep '' dnscache*/env/IP*
dnscache/env/IP:10.66.1.1
dnscache/env/IPSEND:198.51.100.1
dnscache6/env/IP:2001:db8:10:30::1
dnscache6/env/IPSEND:0.0.0.0

replace 10.66.1.1 with your private IPv4, and 198.51.100.1 with your public IPv4 and 2001:db8:10:30::1 with your (public, duh) IPv6 addresses. It then works for me:

# dig aaaa ds.v6ns.test-ipv6.com @2001:db8:10:30::1

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> aaaa ds.v6ns.test-ipv6.com @2001:db8:10:30::1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32403
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ds.v6ns.test-ipv6.com.         IN      AAAA

;; ANSWER SECTION:
ds.v6ns.test-ipv6.com.  360     IN      AAAA    2001:470:1:18::119
Matija Nalis
  • 2,409
  • 23
  • 37