[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: bind9 and dns forward

Hi,

>> linbobo:~# ss -nap | grep named
>> tcp LISTEN 0 10 [2a02:a45f:96c2:1:1e69:7aff:fe0c:65e3]:53 [::]:*
>> users:(("named",pid=554,fd=78))
>> tcp LISTEN 0 10 [fe80::1e69:7aff:fe0c:65e3]%eno1:53 [::]:*
>> users:(("named",pid=554,fd=71))
>> tcp LISTEN 0 10 [fe80::33bc:2b:d928:991d]%tun0:53 [::]:*
>> users:(("named",pid=554,fd=94))

> You should not use fe80:: adresses on eno1 as you have an ipv6 2a02 on this interface. 
I can do that, it is just default to listen on all local ip's. 
But that is also just inbound traffic as far as I know, that has nothing to do with what ip number bind itself uses to get info from other (company) dns servers.

> But you don't have real ipv6 on tun0. fe80:: is only assigned when there is no adress assigned for an interface. 
Correct, the VPN tunnel is IPv4 only at this moment as the company network has only partial IPv6 set up and is not using it over the whole network yet.
I am only sure to reach all servers via IPv4, including the dns servers. Which is why I forward to the relevant ipv4 addresses.

> Usually fe80:: are local only and not routed. 
Correct

> And bind use ipv6 first. 
Yes, first, but not only. Also, there is no IPv6 address in the forward statements.

> So I suspect that your vpn block ipv6 from your tun0 fe80::. Check your vpn configuration to setup a real ipv6 adress.
I cannot setup IPv6 on the VPN tunnel as the other side has no IPv6 address yet. Also there is no route to the dns servers on ipv6 yet.

> Meanwhile change /etc/bind/named.conf.options to select only your good ip
> 
>     listen-on port 53 {
[....]
>    };

I can do that, but ... that is only for inbound traffic TO my dns server on this network.
That part is working without any problem. Changing that will not change anything for the clients on this network.


We are still left with the problem shown in the syslog:
-----<Quote>----------------- 
Jun  1 09:25:45 linbobo named[554]: validating tio.nl/NS: got insecure response; parent indicates it should be secure 
Jun  1 09:25:45 linbobo named[554]: insecurity proof failed resolving 'tio.nl/NS/IN': 172.16.128.40#53 
Jun  1 09:25:45 linbobo named[554]: validating tio.nl/NS: got insecure response; parent indicates it should be secure 
Jun  1 09:25:45 linbobo named[554]: insecurity proof failed resolving 'tio.nl/NS/IN': 172.16.208.10#53 
-----<Quote>-----------------

My bind instance can reach the company dns server buy claims the response is false/insecure

Does that maybe mean that my bind gets a "normal" response from the company dns whereas the external dns at toplevel .nl. (being the parent zone) tells that any response from a tio.nl dns server should be a secure response. And therefore bind does not accept it?
Where does bind store this info and can I overrule it?

Bonno Bloksma
Reply to: