How can I disable IPv6 recursive queries on my resolver?
  • 11 May 2020
  • 1 Minute To Read
  • Contributors
  • Print
  • Share
  • Dark
    Light

How can I disable IPv6 recursive queries on my resolver?

  • Print
  • Share
  • Dark
    Light

On some networks, IPv6 is used internally, but is not supported by the link to the rest of the Internet. This degrades resolver performance due to named attempting to send IPv6 queries that can never be answered.

BIND resolvers query other authoritative DNS servers in order to provide query responses to client queries. During recursive resolution, they will 'learn' the names and addresses of other servers, both IPv4 and IPv6. To prevent your server from using the learned IPv6 addresses itself during recursion, you can add a server clause to named.conf:

server ::/0 { bogus yes; };

To prevent IPv6 queries outside the network, while still allowing them inside (i.e. locally), use a pair of server clauses:

server fd81:ec6c:bd62::/48 { bogus no; }; // site ULA prefix 
server ::/0 { bogus yes; };

This allows IPv6 queries to be sent to addresses in the fd81:ec6c:bd62::/48 network prefix, but not to any other IPv6 addresses.

IPv6 can also be disabled entirely by using the named -4 command line option, but you should not do this if you still want your resolver to learn and make available to clients, the IPv6 addresses of Internet authoritative servers.