Why am I seeing IPv6 resolve errors despite having disabled IPv6 in bind?

Question

I see lines such as

Feb 13 21:45:48 srv named[2355]: address not available resolving 'secure.gravatar.com/A/IN': 2a04:fa87:ffff::c6b5:7405#53
Feb 13 21:42:29 srv named[2355]: address not available resolving 'la1.akamaiedge.net/AAAA/IN': 2001:500:a8::e#53

in /var/log/syslog despite running bind in IPv4 mode only

srv # cat /etc/default/bind9
# run resolvconf?
RESOLVCONF=no

# startup options for the server
OPTIONS="-u bind -4"

Why is it so?

score 7 · Accepted Answer · answered Apr 17 '17 at 17:58

If the system is using systemd then editing /etc/default/bind9 will have no effect.

Edit /lib/systemd/system/bind9.service file instead and add -4 option to ExecStart variable. I'm using Ubuntu 16 and had to do that.

ExecStart=/usr/sbin/named -f -4 -u bind

Also double check that after restarting the named is running with -4 option.

There is actually a bug filled about this configuration confusion https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1565060

Zoredache · Answer 2 · 2017-02-17T21:25:53.847

The -4 option only changes tells bind to listen and respond on IPv4 packets. It doesn't disable the use of AAAA records.

So is there a way to discard IPv6 addresses in bind?

If that is what you really want then you could adjust your bind configuration to include the following. You must disable dnssec validation, since you are dropping valid records.

options {
    ...
    dnssec-enable no;
    filter-aaaa-on-v4 yes;
    ...
};

score 2 · Answer 3 · answered Mar 27 '20 at 00:24

As an alternative to adding -4 to the named command line (which does work, but may be inconvenient depending on how named is started), it's also possible to add the following to the configuration with similar effect regarding not attempting to connect over IPv6:

server ::/0 {
        bogus yes;
};

This flags servers with IPv6 addresses as bogus, preventing queries to these addresses.

It probably goes without saying, but both these options should only be used in environments without global IPv6 connectivity, where named keeps logging these kinds of errors for everything all the time.
If you only run into some occasional connection problems to specific servers, that is no reason to disable the use of a whole protocol on your own end.

score 0 · Answer 4 · answered Aug 11 '22 at 05:04

0

For Redhat Linux and its derivatives, the options should be added to /etc/sysconfig/named .

To disable listening on IPv6 and use exclusively IPv4, use the following line:

OPTIONS="-4"

answered Aug 11 '22 at 05:04

Robert Newton

211

Why am I seeing IPv6 resolve errors despite having disabled IPv6 in bind?

4 Answers4