Configure a DNS cache not to forward AAAA queries

domain-name-systeminternal-dnsipv6

I'm setting up an internal DNS cache because my firewall is having trouble handling all the sessions created by DNS requests. I tried using bind9, dnsmasq and DJB dnscache, they all help reduce the number of requests leaving my network, but there are still a lot of request being made.

Looking at the log files, and tcpdump and dnstop outputs, it seems that requests that return SERVFAIL do not get cached at all. And a lot of those failed requests are AAAA requests, which is a shame, because I do not have ipv6 enabled on any server.

I've looked at several ways to help the situation, and I think if I could somehow prevent AAAA record requests from being forwarded by the DNS cache, it would reduce the number of requests significantly.

The closest thing I found was the filter-aaaa-on-v4 option in BIND9. However, this only removes the record from the server response, and does not prevent it from forwarding it.

Any help would be appreciated.

Best Answer

I don't think this is possible in any standard DNS resolver. Besides: hiding the IPv6 responses from clients might break DNSSEC validation, depending on if/where you validate.

An authoritative DNS server should not return a SERVFAIL when asked for data it doesn't have, so the real problem is those servers. I personally see such bad behaviour very rarely, but you seem to see it more often. If there are just a few servers that misbehave like this it might be a good idea to let the operator or the domain name holders know so they can fix it.

Some firewalls can process certain traffic stateless. You could filter like

internal DNS cache address port > 1024  <-->  * port 53

and make all that traffic stateless. You won't lose much protection and your firewall will have a lower load. To be honest I am surprised that your firewall has problems with handling DNS query sessions. You never specified which brand and model you are using. I did this on a Juniper SRX 210 for a BitTorrent server. If you think DNS requests cause many sessions... ;-)

And if all else fails you could move the work to an external DNS resolver. If you configure your DNS cache to forward all queries to an external resolver (your ISP's resolvers and 8.8.8.8/8.8.4.4 come to mind) then your DNS cache won't have to walk the DNS tree itself, which will lower the number of queries a lot.

Related Solutions

IPv6 DNS Lookup – How to Perform

There is no reason to disable IPv6 AAAA lookups (at least none you've given us), so my answer to you is please stop trying to outsmart your system and let it work the way it's intended to.

By disabling IPv6 lookups now you're just setting yourself up for mysterious problems in the future when you add IPv6 to your environment and suddenly some systems aren't working properly.
The negligible cost of a few bytes in a spurious DNS request is far outweighed by the predictability/correctness of your environment in the future.

That said, if you still want to play with this foot-gun the easiest solution (in fact the only one I'm aware of) is to compile and install a resolver which is not IPv6 aware.

If you do such a horrible thing ensure that it is well documented in no fewer than 5 places (Your site's documentation repository, MOTD/issue, SSH banner, a sticker on the machine itself, and in a memo to your boss) so that when it breaks in the future there's a chance someone will be able to fix it quickly, without having to figure out that the machine was lobotomized.

Dns cache server servfail

I think you're right about what's happening, but RFC 2308 is pretty clear in s7.1 that caching a SERVFAIL is allowed:

In either case a resolver MAY cache a server failure response.  If it
does so it MUST NOT cache it for longer than five (5) minutes

If you're running the DNS server, you can likely tune this behaviour, or even stop it altogether, so if the name server that's caching this stuff and annoying you is outside your control, run your own DNS server.

Best Answer

Related Solutions

IPv6 DNS Lookup – How to Perform

Dns cache server servfail

Related Topic