host -6 failure
mdh
mdh_lists at yahoo.com
Mon Nov 10 07:31:54 PST 2008
--- On Sun, 11/9/08, David Horn <dhorn2000 at gmail.com> wrote:
> From: David Horn <dhorn2000 at gmail.com>
> Subject: Re: host -6 failure
> To: mdh_lists at yahoo.com
> Cc: freebsd-questions at freebsd.org
> Date: Sunday, November 9, 2008, 8:34 PM
> On Sun, Nov 9, 2008 at 3:13 AM, mdh
> <mdh_lists at yahoo.com> wrote:
> > --- On Sat, 11/8/08, David Horn
> <dhorn2000 at gmail.com> wrote:
> >> From: David Horn <dhorn2000 at gmail.com>
> >> Subject: Re: host -6 failure
> >> To: mdh_lists at yahoo.com
> >> Cc: freebsd-questions at freebsd.org
> >> Date: Saturday, November 8, 2008, 8:10 PM
> >> On Sat, Nov 8, 2008 at 7:55 PM, mdh
> >> <mdh_lists at yahoo.com> wrote:
> >> > --- On Sat, 11/8/08, David Horn
> >> <dhorn2000 at gmail.com> wrote:
> >> >> From: David Horn
> <dhorn2000 at gmail.com>
> >> >> Subject: Re: host -6 failure
> >> >> To: mdh_lists at yahoo.com
> >> >> Cc: freebsd-questions at freebsd.org
> >> >> Date: Saturday, November 8, 2008, 7:25 PM
> >> >> On Fri, Nov 7, 2008 at 2:18 PM, mdh
> >> >> <mdh_lists at yahoo.com> wrote:
> >> >> > Howdy folks,
> >> >> > I'm having a little trouble
> understanding
> >> a
> >> >> problem that the `host` command in
> RELENG_7_0
> >> (very recent)
> >> >> is having.
> >> >> The '-6' on the command line for
> host(1)
> >> forces an
> >> >> IPv6 only
> >> >> connection to your nameserver, not
> necessarily a
> >> >> "AAAA" query for the
> >> >> hostname in question. In this case, your
> >> nameservers
> >> >> listed in the
> >> >> warnings are IPv4 nameservers that
> host(1) is
> >> attempting to
> >> >> connect to
> >> >> using an ipv4 mapped ipv6 address (which
> by
> >> default is
> >> >> disabled in the
> >> >> kernel) In other words, don't use
> host -6 for
> >> this
> >> >> scenario.
> >> >
> >> > Yet as I pointed out, the second nameserver
> in my
> >> resolv.conf is ::1 - so shouldn't it work with
> that?
> >> It's clearly trying to contact the first and
> third
> >> nameservers listed. If the behavior I'm
> experiencing is
> >> the proper behavior, then let me pose this
> question: when
> >> would anyone conceivably want to use the -6
> option, and why
> >> does it exist? My intent was to force a query to
> hit the
> >> nameserver on ::1 rather than 127.0.0.1.
> >> >> >
> >> >> > domain mydomain
> >> >> > search mydomain
> >> >> > nameserver 127.0.0.1
> >> >> > nameserver ::1
> >> >> > nameserver IP.IP.IP.8
> >> >> >
> >> >> > The DNS server running on localhost
> is
> >> authoritative
> >> >> for mydomain. I can ping it via
> localhost using
> >> both v4 and
> >> >> v6, and I can also ping the external v4
> and v6
> >> addresses
> >> >> just fine remotely.
> >> >> >
> >> >> > As I said, I'm new to IPv6, but
> this
> >> behavior
> >> >> seems to be counterintuitive. Am I just
> doing it
> >> wrong?
> >> >> >
> >> >>
> >> >> For diagnosing your own nameservers, you
> are
> >> better off
> >> >> using the
> >> >> dig(1) utility.
> >> >>
> >> >> Example:
> >> >>
> >> >> dig ipv6.google.com AAAA @::1
> >> >>
> >> >> This causes a dns query for an IPv6
> address (aka
> >> >> "AAAA" query) for the
> >> >> hostname of "ipv6.google.com"
> using the
> >> >> nameserver on the IPv6
> >> >> localhost loopback address (::1), and
> will give a
> >> very nice
> >> >> verbose
> >> >> output. man dig for more details.
> >> >
> >> > That is more useful, but still doesn't
> stifle my
> >> desire to stomp a potential bug in the base
> system.
> >>
> >> Right after sending, I realized that I did not
> tell you all
> >> of the answer....
> >>
> >> host(1) will successfully query ::1 when named is
> setup to
> >> listen on
> >> ::1 in named.conf, and ::1 is listed in
> /etc/resolv.conf (I
> >> just ran a
> >> test on my box to be sure that it works this way
> with the
> >> -6 switch)
> >>
> >> Example line from /etc/namedb/named.conf:
> >>
> >> listen-on-v6 { ::1; any; };
> >>
> >> And of course you need to restart named after the
> config
> >> change(
> >> /etc/rc.d/named restart)
> >>
> >> To make sure that it is listening on the IPv6
> loopback
> >> address:
> >>
> >> netstat -anW -f inet6
> >>
> >> I do not remember the minimum version of bind (aka
> named)
> >> required for
> >> IPv6 off the top of my head, but I am running
> 9.4.2-P2 on
> >> my IPv6
> >> machine.
> >
> > All of the conditions for success are true, however it
> fails. My DNS server software is responsing on ::1 port 53
> (tcp and udp), and ::1 is the second nameserver listed in
> resolv.conf. Still, host -6 fails as previously stated...
> According to what you've said so far, this leads me to
> believe that it ought to work as expected, and not error out
> in the way I'm seeing.
> >
> > Am I missing something here? Is my lack of general
> IPv6 knowledge causing me to blindly assume something
> incorrectly?
>
> If all of the conditions for success were true, you would
> *not* be
> having a problem. You are likely missing something simple.
> I suggest that you read about about general IPv6 network
> troubleshooting, and bind. The handbook has some good
> information
> here:
>
> http://www.freebsd.org/doc/en/books/handbook/network-dns.html
> http://www.freebsd.org/doc/en/books/handbook/network-ipv6.html
> http://www.freebsd.org/doc/en/books/developers-handbook/ipv6.html
>
> You have yet to provide any new diagnostic output. What
> was the result of:
>
> netstat -anW -f inet6
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp6 0 0 *.53 *.* LISTEN
tcp6 0 0 *.22 *.* LISTEN
tcp6 0 0 *.113 *.* LISTEN
udp6 0 0 *.64039 *.*
udp6 0 0 *.53 *.*
> dig ipv6.google.com AAAA @::1
;; QUESTION SECTION:
;ipv6.google.com. IN AAAA
;; ANSWER SECTION:
ipv6.google.com. 10800 IN CNAME ipv6.l.google.com.
ipv6.l.google.com. 300 IN AAAA 2001:4860:0:2001::68
;; AUTHORITY SECTION:
l.google.com. 86400 IN NS c.l.google.com.
l.google.com. 86400 IN NS b.l.google.com.
l.google.com. 86400 IN NS e.l.google.com.
l.google.com. 86400 IN NS a.l.google.com.
l.google.com. 86400 IN NS g.l.google.com.
l.google.com. 86400 IN NS f.l.google.com.
l.google.com. 86400 IN NS d.l.google.com.
;; Query time: 426 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon Nov 10 06:46:57 2008
;; MSG SIZE rcvd: 194
> named -version
I am running bind 9.4.2 which is part of the FreeBSD base system from RELENG_7_0 (very recent).
>
> Do not get hung up on the output of host(1) without trying
> to diagnose
> the root problem (your nameserver working properly on
> ipv6). Once you
> fix the root problem, the other problems will go away.
I think that the host output may be the problem. Based on what some others have said, I am more firm in the belief that this is true. One individual noted that the -6 and -4 options are virtually useless, in that they cause it to only query on the v6 or v4 addr respectively, however if resolv.conf contains v4 addrs it will cause errors with the -6 option, even if it also contains v6 addrs. I believe this to be a bug, as creating virtually-useless command line options is silly.
>
> If in doubt, run a tcpdump or wireshark trace, and make
> sure that your
> firewall is not getting in the way.
There is no firewall. IPFW is configured, but has only one rule - the default accept rule. I plan to use it primarily to auto-block ssh brute-force sources.
- mdh
More information about the freebsd-questions
mailing list