[Dnsmasq-discuss] IPv6 resolve local only

Petr Menšík pemensik at redhat.com
Fri Aug 30 10:57:41 UTC 2024 

Make sure (sub)domains served exclusively by dnsmasq are marked as 
local=/tier1.internal/. That will prevent dnsmasq to forward any other 
queries to upstream nameserver, which very likely does not know them. 
That is if sshgw.tier1.internal has only A address, but AAAA is 
forwarded further and timeouts there. In fact make sure whole .internal 
is stopped somewhere at your border and not forwarded to your ISP. IPv4 
works better, because those names are defined by dnsmasq and it does not 
forward them. For AAAA it is not defined and therefore forwarded. 
Although it is also problem at ISP, it should respond with NXDOMAIN or 
REFUSED, but it should respond with some response anyway.

try it with "dig -t AAAA sshgw.tier1.internal" command.

You can do that by local=/internal/ or auth-server=internal on recent 
versions. If you have multiple devices serving internal subdomains, make 
sure the one before ISP's nameserver stops queries to them and answer 
when the record does not exist.

I think in general the problem is that the client sends AAAA queries, 
even when no IPv6 route exists on that machine. But that should be fixed 
at glibc.

On 05/08/2024 23:25, Klaus Vink Slott via Dnsmasq-discuss wrote:
> Hi. I am new to dnsmasq and do not really care about IPv6 as our ISP 
> does not support it. I am trying to replace the build in dhcp/dns in 
> pfSense with a dnsmasq on a separate machine. Currently there is 3 
> Linux host on this vlan, on with dnsmasq.
>
> I have setup everything as I think it should work. But I am confused 
> on how to configure the IPv6 part. For IPv4 everything seem fine: 
> hosts gets a ip fixed or dynamic addresses - and testing with the dig 
> command on all hosts works perfectly:
>
> localadm at dhcpdns:~> dig sshgw.tier1.internal +short
> 192.168.80.8
> localadm at dhcpdns:~> dig -x 192.168.80.8 +short
> sshgw.tier1.internal.
>
> But when I try to use any internal address, everything takes ages. A 
> test with the host command reveals:
>
> localadm at dhcpdns:~> host sshgw.tier1.internal
> sshgw.tier1.internal has address 192.168.80.8
> ;; communications error to 127.0.0.1#53: timed out
> ;; communications error to 127.0.0.1#53: timed out
> ;; no servers could be reached
>
> ;; communications error to 127.0.0.1#53: timed out
> ;; communications error to 127.0.0.1#53: timed out
> ;; no servers could be reached
host by default does A, AAAA and MX query for the name, unless you use 
-t A explicitly. It probably means dig -t AAAA and dig -t MX does 
timeout, only -t A works as expected. You just need to ensure something 
is made to authoritatively say such record does not exist.
>
> I seems that the Linux host is not satisfied with the first result and 
> continues to lookup a IPv6 address. I have tried different setups and 
> would like dnsmasq to return some kind of "f... off - no ipv6 here" 
> But if I get it to return the real local ipv6 address for the target, 
> that would be all right to.
>
> But I have no clue on why this happens with the current settings:
>
> localadm at dhcpdns:~> grep -v '^#' /etc/dnsmasq.conf | sed '/^$/d'
> domain-needed
> bogus-priv
> resolv-file=/etc/dnsmasq.d/dnsmasq.forward
> server=/busene.dk/192.168.225.1
> server=/rstd.internal/192.168.225.1
> expand-hosts
> domain=tier1.internal
> dhcp-range=set:direct,192.168.80.36,192.168.80.131,12h
> dhcp-range=::f,::ff,constructor:eth0
> dhcp-host=00:50:56:b5:ee:27,dhcpdns,192.168.80.4
> dhcp-host=00:50:56:b5:e5:7a,sshgw,192.168.80.8
> dhcp-option=tag:direct,option:router,192.168.80.1
> dhcp-option=tag:direct,option:ntp-server,192.168.80.1
> dhcp-option=tag:direct,option:dns-server,192.168.80.4
> dhcp-authoritative
> conf-dir=/etc/dnsmasq.d/,*.conf
Unless upstream nameservers in dnsmasq.forward know .internal, add 
local=/internal/ and that should fix it. That instructs dnsmasq to say 
whatever under .internal it does not know about, it does not exists then.
>
> localadm at dhcpdns:~> cat /etc/dnsmasq.d/dnsmasq.forward
> search tier1.internal
> nameserver 80.71.82.83
> nameserver 80.71.82.82
>
> I have tried different IPv6 related settings for dhcp-range= but it 
> does not seem to do any difference.
>
> Hosts interface:
>
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP 
> group default qlen 1000
>     link/ether 00:50:56:b5:ee:27 brd ff:ff:ff:ff:ff:ff
>     altname enp11s0
>     altname ens192
>     inet 192.168.80.4/24 brd 192.168.80.255 scope global eth0
>        valid_lft forever preferred_lft forever
>     inet6 fe80::250:56ff:feb5:ee27/64 scope link proto kernel_ll
>        valid_lft forever preferred_lft forever
>
> I guess it is most likely be down to the setup on the clients 
> (openSUSE). But as I plan to roll a lot af clients, I would like to be 
> able to keep the default setup. And when I was using the build in DNS 
> in pfSense I had no problems like that.
>
> Any ideas?
>
-- 
Petr Menšík
Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

More information about the Dnsmasq-discuss mailing list