ipv6 socket: Bug or configuration error?

[bmeirellesRJ]

Hi friends,

I use bind9 in dual stack mode and I'm trying to replace it with dnscrypt-proxy.

On my firewall, I have two rules to capture dns traffic and redirect to my server dns:

Capture and redirect dns ipv4

iptables -t nat -A PREROUTING -i $LAN -p udp --dport 53 -j REDIRECT --to-port 53

Capture and redirect dns ipv6

ip6tables -t nat -A PREROUTING -i $LAN -p udp --dport 53 -j REDIRECT --to-port 53

With bind9, these rules work perfectly ipv4 and ipv6.

With dnscrypt-proxy the ipv4 rule works perfectly, but the ipv6 rule the dns doesn't reply. Without the rule dns works in ipv6.

In dnscrypt-proxy it is configured as: listen_addresses = ['[::]:53']

I tried to change the port to 5300 without success

I added the interface ip without success

I tried using systemd socket without success

Why with bind9 work and dnscrypt-proxy not?

what am I doing wrong? Can someone help me?

I'm using dnscrypt-proxy + bind9, but I would like to remove bind9.

I appreciate any help.

[lifenjoiner]

Test and make sure dnscrypt-proxy works perfectly with IPv6 as you configured first ...

[bmeirellesRJ]

Hi @lifenjoiner,

The socket is configured listen_addresses = ['[::]:53']

If I remove the firewall rule it works:
PS C:> nslookup google.com
Servidor: router.tijuca.informaticadigital
Address: fd00:ffff:fffe:100::1

Não é resposta autoritativa:
Nome: google.com
Addresses: 2800:3f0:4004:810::200e
142.250.79.14

If I add the ipv6 firewall rule it doesn't respond
PS C:> nslookup google.com
DNS request timed out.
timeout was 2 seconds.
Servidor: UnKnown
Address: fd00:ffff:fffe:100::1

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.

but the same rule in ipv4 works
PS C:> nslookup google.com 192.168.254.254
Servidor: router.tijuca.informaticadigital
Address: 192.168.254.254

Não é resposta autoritativa:
Nome: google.com
Addresses: 2800:3f0:4004:80a::200e
142.250.78.206

I'm using bind9 for forwarding to dnscrypt-proxy on port 5300 because with bind9 the firewall rules work, but setting dnscrypt-poxy ptr=true I don't need bind9 anymore

[lifenjoiner]

I don't get you.
Obviously, iptables is from Linux and PS C:> nslookup is from Windows, ... they even aren't in the same system?
Anyway, if dnscrypt-proxy works well separately, it's more likely there is something wrong with your settings ... I guess.

[lifenjoiner]

My thought is:
you must make a clear view of your device's/software's topology,
and know how the traffic goes.
Make sure they works well at each part.
Finally, it will work.

[bmeirellesRJ]

I have a linux server as a router/gateway on my local network.

On my local network I have windows, mac, and ios/android mobile phones.

On the linux server, which is the router/gateway of my internal network, I have bind9 as dns cache and I use these two rules to capture traffic from the internal network and redirect to my dns cache.

dnscrypt-proxy Works v4 and v6 without firewall redirection rules.

If I add the rules in the firewall, ipv6 stops working.

The rules are correct, because with bind9 they work perfectly.

dnscrypt-proxy is configured as per the documentation, to listen on all addresses, ipv4 and ipv6.

If you say my configuration is wrong, how should I configure it?

[bmeirellesRJ]

In the dnscrypt-poxy documentation:

List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.

Example with both IPv4 and IPv6:

listen_addresses = ['127.0.0.1:53', '[::1]:53']

To listen to all IPv4 addresses, use listen_addresses = ['0.0.0.0:53']

To listen to all IPv4+IPv6 addresses, use listen_addresses = ['[::]:53']

listen_addresses = ['[::]:53']

I tried it this way and it doesn't work either:
#listen_addresses = ['192.168.254.254:53', '[fd00:ffff:fffe:100::1]:53']

I tried it this way and it doesn't work either:
cat /lib/systemd/system/dnscrypt-proxy.socket
...
[Socket]
ListenStream=[::]:53
ListenDatagram=[::]:53
NoDelay=true
DeferAcceptSec=1
....

In bind9 it is like this and firewall rules works:
vim /etc/bind/named.conf.options
...
listen-on { any; };
listen-on-v6 { any; };
....

If I configured dnscrypt-proxy wrong, tell me the right way.

[syphyr]

For dnscrypt-proxy.toml:

listen_addresses = []

For /lib/systemd/system/dnscrypt-proxy.socket:

[Unit]
Description=DNSCrypt-proxy socket
Documentation=https://github.com/jedisct1/dnscrypt-proxy/wiki
Before=nss-lookup.target
Wants=nss-lookup.target

[Socket]
ListenStream=127.0.0.1:53
ListenDatagram=127.0.0.1:53
ListenStream=[::1]:53
ListenDatagram=[::1]:53
BindIPv6Only=both
NoDelay=true
DeferAcceptSec=1

[Install]
WantedBy=sockets.target

[bmeirellesRJ]

Hi @syphyr,

Thank you for your help.

I tried and it didn't work.

127.0.0.1 and ::1 is loopback address and works only localhost. I need it to work for my internal network.

With the address [::]:53 it works, but if I apply the firewall rules, the same thing happens and ipv6 stops working.

With the lan nic address, '[fd00:ffff:fffe💯:1]:53'] also happens the same thing. Without the rules it works, with the rules ipv6 stops working.

I believe it's a bug, because with bind9 it works.

You can test by adding these 2 rules to your firewall and configuring a non-existent dns on any host on your local network:

iptables -t nat -A PREROUTING -i $LAN -p udp --dport 53 -j REDIRECT --to-port 53
ip6tables -t nat -A PREROUTING -i $LAN -p udp --dport 53 -j REDIRECT --to-port 53

if use nftables:
nft add rule inet nat PREROUTING iifname "$LAN" meta l4proto {tcp, udp} th dport 53 counter redirect to :53 comment Redirect-DNS

$LAN=internal interface

ipv4 will work, ipv6 no reply

[bmeirellesRJ]

@syphyr

What was missing here was BindIPv6Only=both I will test tomorrow

[bmeirellesRJ]

Hi @syphyr ,

I tried it and it really doesn't work.

with this really localhost only:
#ListenStream=127.0.0.1:53
#ListenDatagram=127.0.0.1:53
#ListenStream=[::1]:53
#ListenDatagram=[::1]:53

With these below, same problem. Dual stack only without firewall rules.

#[Socket]
#ListenStream=192.168.254.254:53
#ListenDatagram=192.168.254.254:53
#ListenStream=[fd00:ffff:fffe:100::1]:53
#ListenDatagram=[fd00:ffff:fffe:100::1]:53
#BindIPv6Only=both
#NoDelay=true
#DeferAcceptSec=1

[Socket]
ListenStream=[::]:53
ListenDatagram=[::]:53
NoDelay=true
DeferAcceptSec=1
BindIPv6Only=both

I'll keep using named until someone else finds the problem and fixes it.

Thank you very much for your help

Hug,

Bruno.