BIND9 stops resolving names after disabling IPv6 - Ubuntu Server 20.04 LTS
Sebastian Wright 
I'm new in linux and I'm installing a server in my home with the following services: Bind9 for name resolution, ISC-DHCP-Server/Relay, Fw iptables.
As I've noticed, that sometimes BIND resolve the queries with IPv6 address instead IPv4.
As I'm really out-of-date with IPv6, to simplify my internal configuration and to prevent security issues on my network through IPv6, I've decided to disable IPv6 in my internal network.
I've configured BIND only for IPv4 (added -u bind -4) and everything going perfect until I've disabled IPv6 in my network, BIND doesn't resolve my queries anymore.
I've add the following lines in /etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1And enable IPv4 forwarding
net.ipv4.ip_forward=1Here's my configuration files for BIND9
named.conf.option
acl "trusted" { 10.10.1.0/24; 10.10.10.0/24; 10.10.20.0/24; 10.10.30.0/24; 10.10.40.0/24; 192.168.0.0/24; localhost;
};
options { directory "/var/cache/bind"; recursion yes; allow-query { trusted; }; forwarders { 8.8.8.8; 8.8.4.4; 201.21.192.116; 201.21.192.111; }; forward only; listen-on { 10.10.1.254; 10.10.10.254; 10.10.20.254; 10.10.30.254; 10.10.40.254; }; auth-nxdomain no; version "not current available"; querylog yes;
};name.conf.local
# Forward Zone
zone "internal.home" { type master; file "/etc/bind/zones/db.internal.home"; allow-transfer { 10.10.1.254; };
};
# Reverse Zone
# Server IP 10.10.1.10
zone "1.10.10.in-addr.arpa" { type master; file "/etc/bind/zones/db.10"; allow-transfer { 10.10.1.254; };
};db.internal.home
$TTL 604800
@ IN SOA ns1.internal.home. root.internal.home. ( 3 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL
; IN NS ns1.internal.home. IN NS ns2.internal.home.
ns1.internal.home. IN A 10.10.1.254
ns2.internal.home. IN A 10.10.1.254
server.internal.home. IN A 10.10.1.254
iap225.internal.home. IN A 10.10.1.1db.10
$TTL 604800
@ IN SOA internal.home. root.internal.home. ( 3 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL
; IN NS ns1.internal.home. IN NS ns2.internal.home.
;
254 IN PTR ns1.internal.home.
254 IN PTR ns2.internal.home.
254 IN PTR server.internal.home.
1 IN PTR iap225.internal.home.I've tested my configuration with named-checkconf and named-checkzone and all outputs are OK.
In my iptables rules.v4 file I've these rules:
*nat
:PREROUTING ACCEPT [1679:401995]
:INPUT ACCEPT [592:40310]
:OUTPUT ACCEPT [1740:164981]
:POSTROUTING ACCEPT [509:46285]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT DROP [1:36]
:FORWARD ACCEPT [20:1358]
:OUTPUT DROP [0:0]
#Reject forwarding communication in the eth0 (Flood atack)
-A FORWARD -i eth0 -o eth0 -j REJECT
# Allow incoming traffic to loopback interface
-A INPUT -i lo -j ACCEPT
#Allow any existing connections or anything related
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#Allow new connections only from internal network (! means except)
-A INPUT -m state --state NEW ! -i eth0 -j ACCEPT
#Allow HTTP/S incoming connections
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
#Allow SSH incoming connections only in eth1.10 and from 10.10.10.0
-A INPUT -i eth1.10 -p tcp --dport 22 -s 10.10.10.0/24 -j ACCEPT
#Allow DNS incoming requests only internal
-A INPUT -i eth1+ -p udp --dport 53 -j ACCEPT
-A INPUT -i eth1+ -p tcp --dport 53 -j ACCEPT
#Allow DHCP incoming requests only internal
-A INPUT -i eth1+ -p udp --dport 67:68 -j ACCEPT
#Allow incoming ICMP
-A INPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m limit --limit 2/second --limit-burst 2 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
-A INPUT -f -j DROP
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
#Allow forward traffic
-A FORWARD -i eth1+ -o eth0 -j ACCEPT
#Allow output traffic
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20:21 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 1900 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 1900 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 5353 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 5938 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 5938 -j ACCEPT
#Allow output ICMP
-A OUTPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
COMMIT
*mangle
:PREROUTING ACCEPT [226702:271091885]
:INPUT ACCEPT [8236:8159908]
:FORWARD ACCEPT [218466:262931977]
:OUTPUT ACCEPT [8709:7959666]
:POSTROUTING ACCEPT [227009:270858537]
COMMIT
Here's my tests with IPv6 disabled (All tests executed on the server)
Pinging 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=50 time=25.0 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=50 time=24.8 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=50 time=27.5 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=50 time=25.1 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=50 time=26.7 ms
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4003ms
rtt min/avg/max/mdev = 24.835/25.820/27.506/1.068 msPinging
ping: Temporary failure in name resolution
If set all net.ipv6.conf.*.disable_ipv6 to 0, everything works fine.
net.ipv6.conf.all.disable_ipv6=0
net.ipv6.conf.default.disable_ipv6=0
net.ipv6.conf.lo.disable_ipv6=0Pinging 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=50 time=26.0 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=50 time=27.2 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=50 time=26.6 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=50 time=26.2 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=50 time=25.6 ms
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 25.633/26.325/27.185/0.524 msPinging
PING (172.217.28.4) 56(84) bytes of data.
64 bytes from eze03s15-in-f4.1e100.net (172.217.28.4): icmp_seq=1 ttl=50 time=26.6 ms
64 bytes from eze03s15-in-f4.1e100.net (172.217.28.4): icmp_seq=2 ttl=50 time=27.1 ms
64 bytes from eze03s15-in-f4.1e100.net (172.217.28.4): icmp_seq=3 ttl=50 time=27.8 ms
64 bytes from eze03s15-in-f4.1e100.net (172.217.28.4): icmp_seq=4 ttl=50 time=27.2 ms
64 bytes from eze03s15-in-f4.1e100.net (172.217.28.4): icmp_seq=5 ttl=50 time=26.0 ms
^C
--- ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4007ms
rtt min/avg/max/mdev = 26.012/26.962/27.795/0.601 ms
I'm really stucked on this. I've searched many forums and I did't find any solution for this issue.
Anybody could help me?
I also have many of these messages after executing dmesg.
audit: type=1400 audit(1589236716.310:45): apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/proc/sys/kernel/random/boot_id" pid=894 comm="named" requested_mask="r" denied_mask="r" fsuid=0 ouid=0My best regards to all.
Rafael.
1 Answer
After many researches and re-installations I think I've figured out the best configuration for me disabling all IPv6 in my server.
First of all, I've disabled IPv6 using grub. Here what I've added to grub /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1"This disabled all IPv6 for Ubuntu. Good start point.
Then I've installed BIND9.
apt install bind9 bind9utils bind9-docMy final configuration for BIND has just a little changes. I've 4 internal networks using VLAN, so why has many networks in my trusted acl.
/etc/bind/named.conf.options
acl "trusted" { localhost; 10.10.1.0/24; 10.10.10.0/24; 10.10.20.0/24; 10.10.30.0/24; 10.10.40.0/24; 192.168.0.0/24; };
options { directory "/var/cache/bind"; auth-nxdomain no; recursion yes; allow-query { trusted; }; forwarders { 8.8.8.8; 8.8.4.4; 201.21.192.116; 201.21.192.111; }; forward only; listen-on port 53 { localhost; 10.10.1.254; 192.168.0.254; }; version "not current available"; querylog yes; dnssec-validation no;
};/etc/bind/named.conf.local
# Forward Zone
zone "pegasus.home" { type master; file "/etc/bind/forward.pegasus.home";
};
# Reverse Zone
# Server IP 10.10.1.254
zone "1.10.10.in-addr.arpa" { type master; file "/etc/bind/reverse.pegasus.home";
};/etc/bind/forward.pegasus.home
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA ns1.pegasus.home. root.ns1.pegasus.home. ( 6 ; Serial 604820 ; Refresh 86600 ; Retry 2419600 ; Expire 604600 ) ; Negative Cache TTL
;
@ IN NS ns1.pegasus.home.
ns1 IN A 10.10.1.254
centaurus IN A 10.10.1.254/etc/bind/reverse.pegasus.home
;
; BIND reverse data file for local loopback interface
;
$TTL 604800
@ IN SOA ns1.pegasus.home. root.pegasus.home. ( 21 ; Serial 604820 ; Refresh 864500 ; Retry 2419270 ; Expire 604880 ) ; Negative Cache TTL
;
@ IN NS ns1.pegasus.home.
ns1 IN A 10.10.1.254
254 IN PTR ns1.pegasus.home.
254 IN PTR centaurus.pegasus.home.My rules in IPTables did not change.
I have also set the IPv6 to disable in all my network interfaces and I have not added the configurations in sysctl.conf file regading IPv6.
Now everything going fine.
Here's the places I've used as start point for my configurations.
How to disable IPv6 through GRUB in Linux in
How to Install and Configure DNS Server (Bind 9) on Ubuntu / Debian in
Hope this can help other people who having the same issue.
