[RndTbl] very strange DNS errors EUREKA! SOLVED!!

Trevor Cordes trevor at tecnopolis.ca
Sun Jun 12 03:53:59 CDT 2016


On 2016-06-11 Daryl F wrote:
> On Thu, 21 Apr 2016, Trevor Cordes wrote:
> 
> > The problem: IPv6!  Argh!
> >  
> 
> Is there a firewall blocking *TCP* port 53? With DNSSEC and IPv6 we 
> will see more DNS responses that are too big to send over UDP.

Since this would be outgoing we're talking about, nope my firewalls do
not block tcp p53 in IPv4, as I'm pretty open about chain OUTPUT (but
not FORWARD).

I discussed the issue further with a group of MUUG guys at a meeting
and almost definitely we believe (haven't tested yet) the problem was
two things:
1) I dropped all IPv6
2) I *dropped*, not *rejected*, all IPv6

We believe that both have to hold, hence why not many people hit this
bug, as many people (and most stock routers) would default reject
(iptables ... -j REJECT) which *probably* will tell BIND to immediately
give up on 6 and try 4, mitigating the bug.  That's the theory anyhow.

I'll test it one of these days...


More information about the Roundtable mailing list