How can I disable IPv6 recursive queries on my resolver?
  • 01 Feb 2023
  • 1 Minute to read
  • Contributors
  • Dark
    Light
  • PDF

How can I disable IPv6 recursive queries on my resolver?

  • Dark
    Light
  • PDF

Article Summary

On some networks, IPv6 is used internally, but is not supported by the link to the rest of the Internet. This degrades resolver performance due to named attempting to use IPv6 transport to send queries that can never be answered.

BIND resolvers query other authoritative DNS servers in order to provide query responses to client queries. During recursive resolution, they will 'learn' the names and addresses of other servers, both IPv4 and IPv6. To prevent your server from using the learned IPv6 addresses itself during recursion, you can add a server clause to named.conf:

server ::/0 { bogus yes; };

To prevent queries from being sent to IPv6 addresses outside the network, while still allowing them inside (i.e. locally), use a pair of server clauses:

server fd81:ec6c:bd62::/48 { bogus no; }; // site ULA prefix 
server ::/0 { bogus yes; };

This allows queries to be sent to addresses in the fd81:ec6c:bd62::/48 network prefix, but not to any other IPv6 addresses.

Use of IPv6 transport can also be disabled entirely by using the named -4 command line option, but you should not do this if you still want your resolver to learn and make available to clients, the IPv6 addresses of Internet authoritative DNS servers.

NOTE: We currently recommend using named -4 instead of server ::/0 { bogus yes; };

Due to the way named resolver code internally handles the lists of servers authoritative for a domain, using server ::/0 { bogus yes; }; to disable IPv6 transport being used for recursive queries can unfortunately sometimes cause intermittent SERVFAIL responses instead to clients. See https://gitlab.isc.org/isc-projects/bind9/-/issues/1964 for more details.