SixXS::Sunset 2017-06-06

I can't do DNS ping6
[ec] Shadow Hawkins on Saturday, 10 August 2013 03:21:43
Hi, I'm using the IPv6 tunnel AYIYA I can do ping6 IPv6 Ex: ping6 2a00:1a48:7901:0:b8af:4389:0:1 PING 2a00:1a48:7901:0:b8af:4389:0:1(2a00:1a48:7901:0:b8af:4389:0:1) 56 data bytes 64 bytes from 2a00:1a48:7901:0:b8af:4389:0:1: icmp_seq=1 ttl=49 time=454 ms 64 bytes from 2a00:1a48:7901:0:b8af:4389:0:1: icmp_seq=2 ttl=49 time=455 ms 64 bytes from 2a00:1a48:7901:0:b8af:4389:0:1: icmp_seq=3 ttl=49 time=490 ms 64 bytes from 2a00:1a48:7901:0:b8af:4389:0:1: icmp_seq=4 ttl=49 time=455 ms 64 bytes from 2a00:1a48:7901:0:b8af:4389:0:1: icmp_seq=5 ttl=49 time=454 ms ^C --- 2a00:1a48:7901:0:b8af:4389:0:1 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4698ms rtt min/avg/max/mdev = 454.461/462.084/490.713/14.318 ms But I can't do ping6 to DNS Ex: ping6 ipv6.google.com unknown host I have in response : unknown host that could be failing? for your attention Thanks!!!
I can't do DNS ping6
[ch] Jeroen Massar SixXS Staff on Sunday, 11 August 2013 16:38:26
What platform are you on? (Linux (Ubuntu, Debian), Windows XP/Vista/Seven/Eight/...) ? What is the output of 'cat /etc/resolv.conf' on a Linux variant or 'ipconfig /all' on a Windows?
I can't do DNS ping6
[ec] Shadow Hawkins on Thursday, 22 August 2013 15:52:04
I'm using Linux CentOS 6.4 Server my server response had [root@server ~]# cat /etc/resolv.conf # Generated by NetworkManager nameserver 192.168.1.1
I can't do DNS ping6
[ch] Jeroen Massar SixXS Staff on Thursday, 22 August 2013 15:53:43
nameserver 192.168.1.1
And which device is that? As there are devices on the market that do not support (either drop, block or reject) AAAA queries.
I can't do DNS ping6
[ec] Shadow Hawkins on Thursday, 22 August 2013 15:56:07
Im Using my PC eth0
I can't do DNS ping6
[ch] Jeroen Massar SixXS Staff on Thursday, 22 August 2013 15:57:36
Im Using my PC eth0
Thus 192.168.1.1 is your PC, what Operating System does it have and which DNS software do you run on it? Is it the same system as the host you are on?
I can't do DNS ping6
[ec] Shadow Hawkins on Thursday, 22 August 2013 16:01:08
The 192.168.1.1 is of my router from my ISP
I can't do DNS ping6
[ch] Jeroen Massar SixXS Staff on Thursday, 22 August 2013 16:05:29
The 192.168.1.1 is of my router from my ISP
There is a reasonable chance that the router of your ISP does not support resolving AAAA records. You might want to install a local DNS server or you one of the many public DNS servers (Google Public DNS and OpenDNS come to mind).
I can't do DNS ping6
[ec] Shadow Hawkins on Thursday, 22 August 2013 16:09:55
I will try anything I am communicating Jeroen Thanks!!!
I can't do DNS ping6
[ec] Shadow Hawkins on Thursday, 22 August 2013 22:06:07
Hi Jeroen I try OpenDNS and Google Public DNS solution but not working that another solution could have
I can't do DNS ping6
[ch] Jeroen Massar SixXS Staff on Friday, 23 August 2013 06:23:48
I try OpenDNS and Google Public DNS solution but not working that another solution could have
How did you try them and what where the results you are getting? Also, you might want to explain a little bit more on what your setup looks like, eg what hosts are involved, what operating systems they use, on which the tunnel terminates etc.
I can't do DNS ping6
[ec] Shadow Hawkins on Thursday, 26 September 2013 13:05:25
Hi Jeroen, use the public DNS of google here are the results ... ping6 ipv6.google.com PING ipv6.google.com(2800:3f0:4001:807::1013) 56 data bytes 64 bytes from 2800:3f0:4001:807::1013: icmp_seq=1 ttl=56 time=198 ms 64 bytes from 2800:3f0:4001:807::1013: icmp_seq=2 ttl=56 time=198 ms 64 bytes from 2800:3f0:4001:807::1013: icmp_seq=3 ttl=56 time=197 ms 64 bytes from 2800:3f0:4001:807::1013: icmp_seq=4 ttl=56 time=198 ms 64 bytes from 2800:3f0:4001:807::1013: icmp_seq=5 ttl=56 time=197 ms --- ipv6.google.com ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4733ms rtt min/avg/max/mdev = 197.392/197.943/198.317/0.573 ms however, only makes ping6 to ipv6.google.com but I want to do to any other DNS not just google for Example I ping6 to facebook or any other DNS and this is the result, considering that all the pages that do ping6 have IPv6 on their pages. ping6 www.cnt.gob.ec unknown host ping6 www.mrball.net unknown host ping6 www.facebook.com unknown host any other solution???
I can't do DNS ping6
[ch] Jeroen Massar SixXS Staff on Thursday, 26 September 2013 13:08:58
Hi Jeroen, use the public DNS of google here are the results ...
Something else is interfering. What are the exact contents of /etc/resolv.conf on your host? Install the 'dig' tool (typically in the 'dnsutils' package) and check what the result of each of the following are:
dig www.sixxs.net a dig www.ipv6.sixxs.net a dig www.sixxs.net aaaa dig www.ipv6.sixxs.net aaaa
Please provide the full output, as the will be little details in there that matter.
I can't do DNS ping6
[ec] Shadow Hawkins on Thursday, 26 September 2013 14:35:51
dig www.sixxs.net a ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> www.sixxs.net a ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39112 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 3, ADDITIONAL: 4 ;; QUESTION SECTION: ;www.sixxs.net.INA ;; ANSWER SECTION: www.sixxs.net.2876INCNAMEnginx.sixxs.net. nginx.sixxs.net.126INA213.197.27.252 nginx.sixxs.net.126INA213.197.30.67 nginx.sixxs.net.126INA38.229.76.3 nginx.sixxs.net.126INA94.75.219.73 ;; AUTHORITY SECTION: sixxs.net.2876INNSns.paphosting.eu. sixxs.net.2876INNSns.paphosting.nl. sixxs.net.2876INNSns.paphosting.net. ;; ADDITIONAL SECTION: ns.paphosting.eu.79479INA5.144.39.126 ns.paphosting.eu.79479INAAAA2a01:80c0:5:f386::126 ns.paphosting.nl.79479INA94.142.245.3 ns.paphosting.nl.79479INAAAA2a02:898:28::3 ;; Query time: 196 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Thu Sep 26 09:28:52 2013 ;; MSG SIZE rcvd: 291 dig www.ipv6.sixxs.net a ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> www.ipv6.sixxs.net a ;; global options: +cmd ;; connection timed out; no servers could be reached dig www.sixxs.net aaaa ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> www.sixxs.net aaaa ;; global options: +cmd ;; connection timed out; no servers could be reached dig www.ipv6.sixxs.net aaaa ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> www.ipv6.sixxs.net aaaa ;; global options: +cmd ;; connection timed out; no servers could be reached
I can't do DNS ping6
[ch] Jeroen Massar SixXS Staff on Thursday, 26 September 2013 14:40:05
;; SERVER: 192.168.1.1#53(192.168.1.1)
You are still using the "Router from your ISP" and quite likely that is the DNS resolver that is broken. The symptoms show that it is simply dropping the DNS queries for anything but a "A" request and then times out. Unless you have a firmware update for that device that resolves this issue, I can only suggest, as before, to stop using the DNS server provided by that device and use a local resolver.
apt-get install unbound echo "search yourlocal.stuff" >/etc/resolve.conf echo "nameserver 127.0.0.1" >>/etc/resolv.conf
and your problems should be over.
I can't do DNS ping6
[ec] Shadow Hawkins on Thursday, 26 September 2013 15:26:34
Hi Jeroen, I unbound install but still the same
I can't do DNS ping6
[ch] Jeroen Massar SixXS Staff on Thursday, 26 September 2013 15:30:08
I unbound install but still the same
Please show the dig results, that is one very good way to see what goes wrong.
I can't do DNS ping6
[ec] Shadow Hawkins on Thursday, 26 September 2013 15:39:29
these are the results, and the service is active and now?? dig www.sixxs.net a ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> www.sixxs.net a ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34718 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 3, ADDITIONAL: 4 ;; QUESTION SECTION: ;www.sixxs.net.INA ;; ANSWER SECTION: www.sixxs.net.2831INCNAMEnginx.sixxs.net. nginx.sixxs.net.261INA213.197.27.252 nginx.sixxs.net.261INA213.197.30.67 nginx.sixxs.net.261INA38.229.76.3 nginx.sixxs.net.261INA94.75.219.73 ;; AUTHORITY SECTION: sixxs.net.2832INNSns.paphosting.eu. sixxs.net.2832INNSns.paphosting.nl. sixxs.net.2832INNSns.paphosting.net. ;; ADDITIONAL SECTION: ns.paphosting.eu.75558INA5.144.39.126 ns.paphosting.eu.75558INAAAA2a01:80c0:5:f386::126 ns.paphosting.nl.75558INA94.142.245.3 ns.paphosting.nl.75558INAAAA2a02:898:28::3 ;; Query time: 28 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Thu Sep 26 10:34:13 2013 ;; MSG SIZE rcvd: 291 dig www.ipv6.sixxs.net a ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> www.ipv6.sixxs.net a ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31623 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.ipv6.sixxs.net.INA ;; ANSWER SECTION: www.ipv6.sixxs.net.3600INCNAMEipv6.nginx.sixxs.net. ;; AUTHORITY SECTION: sixxs.net.3600INSOAns.paphosting.net. hostmaster.sixxs.net. 2013091601 86400 7200 1209600 86400 ;; Query time: 2155 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Sep 26 10:34:28 2013 ;; MSG SIZE rcvd: 122 dig www.sixxs.net aaaa ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> www.sixxs.net aaaa ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16183 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 3, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.sixxs.net.INAAAA ;; ANSWER SECTION: www.sixxs.net.3599INCNAMEnginx.sixxs.net. nginx.sixxs.net.300INAAAA2001:838:2:1::30:67 nginx.sixxs.net.300INAAAA2001:838:2:1:2a0:24ff:feab:3b53 nginx.sixxs.net.300INAAAA2001:1af8:4050::2 nginx.sixxs.net.300INAAAA2620:0:6b0:a:250:56ff:fe99:78f7 ;; AUTHORITY SECTION: sixxs.net.3599INNSns.paphosting.net. sixxs.net.3599INNSns.paphosting.nl. sixxs.net.3599INNSns.paphosting.eu. ;; Query time: 1610 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Sep 26 10:34:51 2013 ;; MSG SIZE rcvd: 251 dig www.ipv6.sixxs.net aaaa ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> www.ipv6.sixxs.net aaaa ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42199 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 3, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.ipv6.sixxs.net.INAAAA ;; ANSWER SECTION: www.ipv6.sixxs.net.3564INCNAMEipv6.nginx.sixxs.net. ipv6.nginx.sixxs.net.300INAAAA2001:838:2:1::30:67 ipv6.nginx.sixxs.net.300INAAAA2001:838:2:1:2a0:24ff:feab:3b53 ipv6.nginx.sixxs.net.300INAAAA2001:1af8:4050::2 ipv6.nginx.sixxs.net.300INAAAA2620:0:6b0:a:250:56ff:fe99:78f7 ;; AUTHORITY SECTION: sixxs.net.3586INNSns.paphosting.net. sixxs.net.3586INNSns.paphosting.nl. sixxs.net.3586INNSns.paphosting.eu. ;; Query time: 198 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Sep 26 10:35:04 2013 ;; MSG SIZE rcvd: 261
I can't do DNS ping6
[ch] Jeroen Massar SixXS Staff on Friday, 27 September 2013 02:46:56
these are the results, and the service is active and now??
Looks to me that it is answering properly indeed. Now you know for sure that it is the DNS resolver in your "router" that is causing issues. Look for a firmware update if possible, but likely you should just be using this fresh unbound that does work and as a bonus can even do DNSSEC validation.
I can't do DNS ping6
[ec] Shadow Hawkins on Friday, 04 October 2013 02:12:30
Hi Jeroen I was able to ping6 to any host and domain names resolved with unbound but as is IPv6 in CentOS server gives DHCP6 with radvd service to client machines running Windows 7 and client machines can not resolve DNS
I can't do DNS ping6
[ch] Jeroen Massar SixXS Staff on Friday, 04 October 2013 04:44:42
You will have to configure unbound to listen on a IPv4 and IPv6 address that other hosts in your network can reach. You will then have to configure DHCP, DHCPv6 and optionally RA to configure the DNS server to be your host with unbound running on it.
I can't do DNS ping6
[ec] Shadow Hawkins on Friday, 04 October 2013 13:55:07
I mean I need to install unbound in each host with windows seven??
I can't do DNS ping6
[ch] Jeroen Massar SixXS Staff on Friday, 04 October 2013 14:11:12
No, you use the already installed unbound as a recursor for your whole network.
I can't do DNS ping6
[ec] Shadow Hawkins on Friday, 04 October 2013 15:20:39
yes but it does not work, as I do to resolve the client machines in Windows Seven able to ping IPv6 Ex: I ping in Windows 7 to ipv6.google.com and these are the results: Ping ipv6.google.com Ping request could not find host ipv6.google.com. Check the name and try again.
I can't do DNS ping6
[ch] Jeroen Massar SixXS Staff on Friday, 04 October 2013 15:49:36
1) Check that you have configured unbound on your server to listen on the right addresses. "interface" is the configuration item you check for in /etc/unbound/ 2) Check that the IP given in the above interface line is configured in DHCP 3) Check that the client (the windows box) receives that IP address, executing "nslookup" will show it as the "Server" line, executing "ipconfig /all" will also show the details.
I can't do DNS ping6
[ec] Shadow Hawkins on Saturday, 05 October 2013 14:42:59
Hi, Jeroen. This is the configuration file of unbound is located in /etc/unbound/unbound.conf where it interfaces modified. # # Example configuration file. # # See unbound.conf(5) man page, version 1.4.20. # # this is a comment. #Use this to include other text into the file. #include: "otherfile.conf" # The server clause sets the main parameters. server: # whitespace is not necessary, but looks cleaner. # verbosity number, 0 is least verbose. 1 is default. verbosity: 1 # print statistics to the log (for every thread) every N seconds. # Set to "" or 0 to disable. Default is disabled. # statistics-interval: 0 # enable cumulative statistics, without clearing them after printing. # statistics-cumulative: no # enable extended statistics (query types, answer codes, status) # printed from unbound-control. default off, because of speed. # extended-statistics: no # number of threads to create. 1 disables threading. # num-threads: 1 # specify the interfaces to answer queries from by ip-address. # The default is to listen to localhost (127.0.0.1 and ::1). # specify 0.0.0.0 and ::0 to bind to all available interfaces. # specify every interface[@port] on a new 'interface:' labelled line. # The listen interfaces are not changed on reload, only on restart. # interface: 192.0.2.153 # interface: 192.0.2.154 # interface: 192.0.2.154@5003 # interface: 2001:DB8::5 # enable this feature to copy the source address of queries to reply. # Socket options are not supported on all platforms. experimental. # interface-automatic: no # port to answer queries from # port: 53 # specify the interfaces to send outgoing queries to authoritative # server from by ip-address. If none, the default (all) interface # is used. Specify every interface on a 'outgoing-interface:' line. # outgoing-interface: 192.0.2.153 # outgoing-interface: 2001:DB8::5 # outgoing-interface: 2001:DB8::6 # number of ports to allocate per thread, determines the size of the # port range that can be open simultaneously. About double the # num-queries-per-thread, or, use as many as the OS will allow you. # outgoing-range: 4096 # permit unbound to use this port number or port range for # making outgoing queries, using an outgoing interface. # outgoing-port-permit: 32768 # deny unbound the use this of port number or port range for # making outgoing queries, using an outgoing interface. # Use this to make sure unbound does not grab a UDP port that some # other server on this computer needs. The default is to avoid # IANA-assigned port numbers. # If multiple outgoing-port-permit and outgoing-port-avoid options # are present, they are processed in order. # outgoing-port-avoid: "3200-3208" # number of outgoing simultaneous tcp buffers to hold per thread. # outgoing-num-tcp: 10 # number of incoming simultaneous tcp buffers to hold per thread. # incoming-num-tcp: 10 # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). # 0 is system default. Use 4m to catch query spikes for busy servers. # so-rcvbuf: 0 # buffer size for UDP port 53 outgoing (SO_SNDBUF socket option). # 0 is system default. Use 4m to handle spikes on very busy servers. # so-sndbuf: 0 # EDNS reassembly buffer to advertise to UDP peers (the actual buffer # is set with msg-buffer-size). 1480 can solve fragmentation (timeouts). # edns-buffer-size: 4096 # buffer size for handling DNS data. No messages larger than this # size can be sent or received, by UDP or TCP. In bytes. # msg-buffer-size: 65552 # the amount of memory to use for the message cache. # plain value in bytes or you can append k, m or G. default is "4Mb". # msg-cache-size: 4m # the number of slabs to use for the message cache. # the number of slabs must be a power of 2. # more slabs reduce lock contention, but fragment memory usage. # msg-cache-slabs: 4 # the number of queries that a thread gets to service. # num-queries-per-thread: 1024 # if very busy, 50% queries run to completion, 50% get timeout in msec # jostle-timeout: 200 # the amount of memory to use for the RRset cache. # plain value in bytes or you can append k, m or G. default is "4Mb". # rrset-cache-size: 4m # the number of slabs to use for the RRset cache. # the number of slabs must be a power of 2. # more slabs reduce lock contention, but fragment memory usage. # rrset-cache-slabs: 4 # the time to live (TTL) value lower bound, in seconds. Default 0. # If more than an hour could easily give trouble due to stale data. # cache-min-ttl: 0 # the time to live (TTL) value cap for RRsets and messages in the # cache. Items are not cached for longer. In seconds. # cache-max-ttl: 86400 # the time to live (TTL) value for cached roundtrip times, lameness and # EDNS version information for hosts. In seconds. # infra-host-ttl: 900 # the number of slabs to use for the Infrastructure cache. # the number of slabs must be a power of 2. # more slabs reduce lock contention, but fragment memory usage. # infra-cache-slabs: 4 # the maximum number of hosts that are cached (roundtrip, EDNS, lame). # infra-cache-numhosts: 10000 # Enable IPv4, "yes" or "no". # do-ip4: yes # Enable IPv6, "yes" or "no". # do-ip6: yes # Enable UDP, "yes" or "no". # do-udp: yes # Enable TCP, "yes" or "no". # do-tcp: yes # upstream connections use TCP only (and no UDP), "yes" or "no" # useful for tunneling scenarios, default no. # tcp-upstream: no # Detach from the terminal, run in background, "yes" or "no". # do-daemonize: yes # control which clients are allowed to make (recursive) queries # to this server. Specify classless netblocks with /size and action. # By default everything is refused, except for localhost. # Choose deny (drop message), refuse (polite error reply), # allow (recursive ok), allow_snoop (recursive and nonrecursive ok) # access-control: 0.0.0.0/0 refuse # access-control: 127.0.0.0/8 allow # access-control: ::0/0 refuse # access-control: ::1 allow # access-control: ::ffff:127.0.0.1 allow # if given, a chroot(2) is done to the given directory. # i.e. you can chroot to the working directory, for example, # for extra security, but make sure all files are in that directory. # # If chroot is enabled, you should pass the configfile (from the # commandline) as a full path from the original root. After the # chroot has been performed the now defunct portion of the config # file path is removed to be able to reread the config after a reload. # # All other file paths (working dir, logfile, roothints, and # key files) can be specified in several ways: # o as an absolute path relative to the new root. # o as a relative path to the working directory. # o as an absolute path relative to the original root. # In the last case the path is adjusted to remove the unused portion. # # The pid file can be absolute and outside of the chroot, it is # written just prior to performing the chroot and dropping permissions. # # Additionally, unbound may need to access /dev/random (for entropy). # How to do this is specific to your OS. # # If you give "" no chroot is performed. The path must not end in a /. # chroot: "/etc/unbound" # if given, user privileges are dropped (after binding port), # and the given username is assumed. Default is user "unbound". # If you give "" no privileges are dropped. # username: "nobody" # the working directory. The relative files in this config are # relative to this directory. If you give "" the working directory # is not changed. # directory: "/etc/unbound" # the log file, "" means log to stderr. # Use of this option sets use-syslog to "no". # logfile: "" # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to # log to, with identity "unbound". If yes, it overrides the logfile. # use-syslog: yes # print UTC timestamp in ascii to logfile, default is epoch in seconds. # log-time-ascii: no # print one line with time, IP, name, type, class for every query. # log-queries: no # the pid file. Can be an absolute path outside of chroot/work dir. # pidfile: "/var/run/unbound.pid" # file to read root hints from. # get one from ftp://FTP.INTERNIC.NET/domain/named.cache # root-hints: "" # enable to not answer id.server and hostname.bind queries. # hide-identity: no # enable to not answer version.server and version.bind queries. # hide-version: no # the identity to report. Leave "" or default to return hostname. # identity: "" # the version to report. Leave "" or default to return package version. # version: "" # the target fetch policy. # series of integers describing the policy per dependency depth. # The number of values in the list determines the maximum dependency # depth the recursor will pursue before giving up. Each integer means: # -1 : fetch all targets opportunistically, # 0: fetch on demand, #positive value: fetch that many targets opportunistically. # Enclose the list of numbers between quotes (""). # target-fetch-policy: "3 2 1 0 0" # Harden against very small EDNS buffer sizes. # harden-short-bufsize: no # Harden against unseemly large queries. # harden-large-queries: no # Harden against out of zone rrsets, to avoid spoofing attempts. # harden-glue: yes # Harden against receiving dnssec-stripped data. If you turn it # off, failing to validate dnskey data for a trustanchor will # trigger insecure mode for that zone (like without a trustanchor). # Default on, which insists on dnssec data for trust-anchored zones. # harden-dnssec-stripped: yes # Harden against queries that fall under dnssec-signed nxdomain names. # harden-below-nxdomain: no # Harden the referral path by performing additional queries for # infrastructure data. Validates the replies (if possible). # Default off, because the lookups burden the server. Experimental # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. # harden-referral-path: no # Use 0x20-encoded random bits in the query to foil spoof attempts. # This feature is an experimental implementation of draft dns-0x20. # use-caps-for-id: no # Enforce privacy of these addresses. Strips them away from answers. # It may cause DNSSEC validation to additionally mark it as bogus. # Protects against 'DNS Rebinding' (uses browser as network proxy). # Only 'private-domain' and 'local-data' names are allowed to have # these private addresses. No default. # private-address: 10.0.0.0/8 # private-address: 172.16.0.0/12 # private-address: 192.168.0.0/16 # private-address: 169.254.0.0/16 # private-address: fd00::/8 # private-address: fe80::/10 # Allow the domain (and its subdomains) to contain private addresses. # local-data statements are allowed to contain private addresses too. # private-domain: "example.com" # If nonzero, unwanted replies are not only reported in statistics, # but also a running total is kept per thread. If it reaches the # threshold, a warning is printed and a defensive action is taken, # the cache is cleared to flush potential poison out of it. # A suggested value is 10000000, the default is 0 (turned off). # unwanted-reply-threshold: 0 # Do not query the following addresses. No DNS queries are sent there. # List one address per entry. List classless netblocks with /size, # do-not-query-address: 127.0.0.1/8 # do-not-query-address: ::1 # if yes, the above default do-not-query-address entries are present. # if no, localhost can be queried (for testing and debugging). # do-not-query-localhost: yes # if yes, perform prefetching of almost expired message cache entries. # prefetch: no # if yes, perform key lookups adjacent to normal lookups. # prefetch-key: no # if yes, Unbound rotates RRSet order in response. # rrset-roundrobin: no # if yes, Unbound doesn't insert authority/additional sections # into response messages when those sections are not required. # minimal-responses: no # module configuration of the server. A string with identifiers # separated by spaces. "iterator" or "validator iterator" # module-config: "validator iterator" # File with trusted keys, kept uptodate using RFC5011 probes, # initial file like trust-anchor-file, then it stores metadata. # Use several entries, one per domain name, to track multiple zones. # # If you want to perform DNSSEC validation, run unbound-anchor before # you start unbound (i.e. in the system boot scripts). And enable: # Please note usage of unbound-anchor root anchor is at your own risk # and under the terms of our LICENSE (see that file in the source). # auto-trust-anchor-file: "/etc/unbound/root.key" # File with DLV trusted keys. Same format as trust-anchor-file. # There can be only one DLV configured, it is trusted from root down. # Download http://ftp.isc.org/www/dlv/dlv.isc.org.key # dlv-anchor-file: "dlv.isc.org.key" # File with trusted keys for validation. Specify more than one file # with several entries, one file per entry. # Zone file format, with DS and DNSKEY entries. # Note this gets out of date, use auto-trust-anchor-file please. # trust-anchor-file: "" # Trusted key for validation. DS or DNSKEY. specify the RR on a # single line, surrounded by "". TTL is ignored. class is IN default. # Note this gets out of date, use auto-trust-anchor-file please. # (These examples are from August 2007 and may not be valid anymore). # trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ==" # trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A" # File with trusted keys for validation. Specify more than one file # with several entries, one file per entry. Like trust-anchor-file # but has a different file format. Format is BIND-9 style format, # the trusted-keys { name flag proto algo "key"; }; clauses are read. # you need external update procedures to track changes in keys. # trusted-keys-file: "" # Ignore chain of trust. Domain is treated as insecure. # domain-insecure: "example.com" # Override the date for validation with a specific fixed date. # Do not set this unless you are debugging signature inception # and expiration. "" or "0" turns the feature off. -1 ignores date. # val-override-date: "" # The time to live for bogus data, rrsets and messages. This avoids # some of the revalidation, until the time interval expires. in secs. # val-bogus-ttl: 60 # The signature inception and expiration dates are allowed to be off # by 10% of the signature lifetime (expir-incep) from our local clock. # This leeway is capped with a minimum and a maximum. In seconds. # val-sig-skew-min: 3600 # val-sig-skew-max: 86400 # Should additional section of secure message also be kept clean of # unsecure data. Useful to shield the users of this validator from # potential bogus data in the additional section. All unsigned data # in the additional section is removed from secure messages. # val-clean-additional: yes # Turn permissive mode on to permit bogus messages. Thus, messages # for which security checks failed will be returned to clients, # instead of SERVFAIL. It still performs the security checks, which # result in interesting log files and possibly the AD bit in # replies if the message is found secure. The default is off. # val-permissive-mode: no # Ignore the CD flag in incoming queries and refuse them bogus data. # Enable it if the only clients of unbound are legacy servers (w2008) # that set CD but cannot validate themselves. # ignore-cd-flag: no # Have the validator log failed validations for your diagnosis. # 0: off. 1: A line per failed user query. 2: With reason and bad IP. # val-log-level: 0 # It is possible to configure NSEC3 maximum iteration counts per # keysize. Keep this table very short, as linear search is done. # A message with an NSEC3 with larger count is marked insecure. # List in ascending order the keysize and count values. # val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500" # instruct the auto-trust-anchor-file probing to add anchors after ttl. # add-holddown: 2592000 # 30 days # instruct the auto-trust-anchor-file probing to del anchors after ttl. # del-holddown: 2592000 # 30 days # auto-trust-anchor-file probing removes missing anchors after ttl. # If the value 0 is given, missing anchors are not removed. # keep-missing: 31622400 # 366 days # the amount of memory to use for the key cache. # plain value in bytes or you can append k, m or G. default is "4Mb". # key-cache-size: 4m # the number of slabs to use for the key cache. # the number of slabs must be a power of 2. # more slabs reduce lock contention, but fragment memory usage. # key-cache-slabs: 4 # the amount of memory to use for the negative cache (used for DLV). # plain value in bytes or you can append k, m or G. default is "1Mb". # neg-cache-size: 1m # a number of locally served zones can be configured. # local-zone: <zone> <type> # local-data: "<resource record string>" # o deny serves local data (if any), else, drops queries. # o refuse serves local data (if any), else, replies with error. # o static serves local data, else, nxdomain or nodata answer. # o transparent gives local data, but resolves normally for other names # o redirect serves the zone data for any subdomain in the zone. # o nodefault can be used to normally resolve AS112 zones. # o typetransparent resolves normally for other types and other names # # defaults are localhost address, reverse for 127.0.0.1 and ::1 # and nxdomain for AS112 zones. If you configure one of these zones # the default content is omitted, or you can omit it with 'nodefault'. # # If you configure local-data without specifying local-zone, by # default a transparent local-zone is created for the data. # # You can add locally served data with # local-zone: "local." static # local-data: "mycomputer.local. IN A 192.0.2.51" # local-data: 'mytext.local TXT "content of text record"' # # You can override certain queries with # local-data: "adserver.example.com A 127.0.0.1" # # You can redirect a domain to a fixed address with # (this makes example.com, www.example.com, etc, all go to 192.0.2.3) # local-zone: "example.com" redirect # local-data: "example.com A 192.0.2.3" # # Shorthand to make PTR records, "IPv4 name" or "IPv6 name". # You can also add PTR records using local-data directly, but then # you need to do the reverse notation yourself. # local-data-ptr: "192.0.2.3 www.example.com" # service clients over SSL (on the TCP sockets), with plain DNS inside # the SSL stream. Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. # ssl-service-key: "path/to/privatekeyfile.key" # ssl-service-pem: "path/to/publiccertfile.pem" # ssl-port: 443 # request upstream over SSL (with plain DNS inside the SSL stream). # Default is no. Can be turned on and off with unbound-control. # ssl-upstream: no # Python config section. To enable: # o use --with-pythonmodule to configure before compiling. # o list python in the module-config string (above) to enable. # o and give a python-script to run. python: # Script file to load # python-script: "/etc/unbound/ubmodule-tst.py" # Remote control config section. remote-control: # Enable remote control with unbound-control(8) here. # set up the keys and certificates with unbound-control-setup. # control-enable: no # what interfaces are listened to for remote control. # give 0.0.0.0 and ::0 to listen to all interfaces. # control-interface: 127.0.0.1 # control-interface: ::1 # port number for remote control operations. # control-port: 8953 # unbound server key file. # server-key-file: "/etc/unbound/unbound_server.key" # unbound server certificate file. # server-cert-file: "/etc/unbound/unbound_server.pem" # unbound-control key file. # control-key-file: "/etc/unbound/unbound_control.key" # unbound-control certificate file. # control-cert-file: "/etc/unbound/unbound_control.pem" # Stub zones. # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of nameservers. list zero or more # nameservers by hostname or by ipaddress. If you set stub-prime to yes, # the list is treated as priming hints (default is no). # With stub-first yes, it attempts without the stub if it fails. # stub-zone: #name: "example.com" #stub-addr: 192.0.2.68 #stub-prime: no #stub-first: no # stub-zone: #name: "example.org" #stub-host: ns.example.com. # Forward zones # Create entries like below, to make all queries for 'example.com' and # 'example.org' go to the given list of servers. These servers have to handle # recursion to other nameservers. List zero or more nameservers by hostname # or by ipaddress. Use an entry with name "." to forward all queries. # If you enable forward-first, it attempts without the forward if it fails. # forward-zone: # name: "example.com" # forward-addr: 192.0.2.68 # forward-addr: 192.0.2.73@5355 # forward to port 5355. # forward-first: no # forward-zone: # name: "example.org" # forward-host: fwd.example.com
I can't do DNS ping6
[ch] Jeroen Massar SixXS Staff on Sunday, 06 October 2013 23:31:24
This is the configuration file of unbound
is located in /etc/unbound/unbound.conf
where it interfaces modified.
Not a single line there is uncommented (not prefixed with a '#') as such, nothing is configured.
I can't do DNS ping6
[ec] Shadow Hawkins on Thursday, 26 September 2013 13:06:39
my server is CentOS 6.4 which provides internet IPv6 me and my client machines are on windows The CentOS server is used as a gateway for the client machines to connect to the IPv6 Internet

Please note Posting is only allowed when you are logged in.

Static Sunset Edition of SixXS
©2001-2017 SixXS - IPv6 Deployment & Tunnel Broker