topic Re: ipv6 question in Operating System - Linux

ipv6 question

brian_31 — Mon, 20 Dec 2010 20:27:47 GMT

On our RHEL 4 box we have ipv6 turned off. But still the ipv6 dns lookup is done. Any way to permanently disable it? (checked /etc/modprobe.conf and sysconfig/network file..all ok..)it looks quite a challenge as the config seems to be OK

Thanks

Brian

Re: ipv6 question

Suman_1978 — Tue, 21 Dec 2010 10:54:56 GMT

Hi,

You need to do this as root

Edit /etc/sysconfig/network and change

NETWORKING_IPV6=yes to
NETWORKING_IPV6=no

Edit /etc/modprobe.conf and add these lines (if theyâ re not in it):

alias net-pf-10 off
alias ipv6 off

Stop the ipv6tables service by typing:

service ip6tables stop

Disable the ipv6tables service by typing:

chkconfig ip6tables off

After these changes, IPv6 will be disabled after the next reboot of your system.

Hope this helps

Re: ipv6 question

brian_31 — Tue, 21 Dec 2010 14:26:25 GMT

As mentioned earlier wehave followed normal protocols. All these have been done. But still the ipv6 DNS lookups happen. Not sure why??

Thanks

Brian.

Re: ipv6 question

Chhaya_Z — Tue, 21 Dec 2010 18:51:46 GMT

Hi Brain,

What is the kernel version?

I have not tested this however you can try below command:
Check the value first:
#cat /proc/sys/net/ipv6/conf/all/disable_ipv6

if its 0 then change it using below command to disable it

#echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6

To check if the value has changed:
#cat /proc/sys/net/ipv6/conf/all/disable_ipv6

Hope this helps

Re: ipv6 question

Matti_Kurkela — Wed, 22 Dec 2010 12:02:12 GMT

IPv6 DNS lookups?

Do you mean the system will attempt to communicate with a DNS server over IPv6?

Or do you mean the system will send AAAA record queries to perfectly ordinary IPv4 DNS servers? I guess this is what you probably mean.

If you're using an application that is IPv6 aware, it probably always uses IPv6 versions of DNS query functions, or sets RES_USE_INET6 in global program variable _res.options. This makes the resolver library send an IPv6 AAAA query before each IPv4 A query.

Because IPv6 resolver functions can automatically fallback to IPv4 when necessary, using them always makes it simpler to write a program that can work with both IPv6 and IPv4. But as a side effect, you'll get the AAAA query.

If your DNS server complies with the appropriate RFCs, the extra AAAA queries should be harmless.

The IPv6 query option of the DNS resolver library can apparently be forced on by adding "options inet6" line to /etc/resolv.conf, but there is apparently no way to force the option off.

MK

Re: ipv6 question

brian_31 — Mon, 03 Jan 2011 13:26:05 GMT

Happy New Year!!

Thanks for the responses..

As mentioned we have disabled the IPV6(alias net-pf-10 off in modprobe.conf, alias ipv6 off in /etc/modprobe.conf and then the NETWORK_IPV6 line for /etc/sysconfig/network)and rebooted, but still the ifconfig -a reports inet6 addr for bond0 and eth1..

MK..

is this what you were mentioning as normal?

Thanks again

Brian

Re: ipv6 question

brian_31 — Mon, 03 Jan 2011 13:43:36 GMT

Please note the inet6 addr line is in addition to the normal inet,Bcast and Mask line. Is this normal?

Thanks

Brian.

Re: ipv6 question

Matti_Kurkela — Wed, 05 Jan 2011 19:59:03 GMT

If ifconfig still displays IPv6 addresses, it looks like your attempt to disable IPv6 using the module alias didn't work. I guess some startup script loads the module explicitly.

A RedHat-recommended procedure for disabling IPv6 is to add this line to /etc/modprobe.conf:

options ipv6 disable=1

This won't prevent the ipv6 module from loading, but tells it to disable itself. The kernel will log a message telling IPv6 is "administratively disabled" until next reboot.

Even this may not stop IPv6-aware applications from making AAAA queries to IPv4 nameservers: making those DNS queries does not require any kernel-level IPv6 protocol support. But those queries should not be harmful: a standards-compliant DNS server can simply answer "I have no information about IPv6".

To completely stop an IPv6-aware application from making AAAA queries, the application would have to have a configurable IPv4-only mode. Not all IPv6-aware programs have such a mode.

MK

Re: ipv6 question

Mike_Swift — Wed, 26 Oct 2011 13:58:46 GMT

Matti

We have the same issue with the DNS server flooding with AAAA quesries. When you mention "But those queries should not be harmful: a standards-compliant DNS server can simply answer "I have no information about IPv6". what does this mean or what RFC's it should comply with?

Thanks

Mike.

Re: ipv6 question

Matti_Kurkela — Wed, 26 Oct 2011 19:49:43 GMT

I meant that the DNS server does not even need to know what the AAAA record is to be able to answer "I don't have any records of that type matching the name you asked for". Since an A record exists for the name, a Name Error is not appropriate. The situation should be handled essentially the same as when querying for NS record for a name that does not have one.

The algorithm in RFC 1034 (STD 13, the fundamental definition of DNS), paragraph 4.3.2 would lead to the generation of a response with an empty answer section and no error indication (status NOERROR) - as always when there is no record of the requested type, but records of some other type exist for the name queried.

The later RFC 2308 (Proposed Standard) confirms this is exactly the expected format for a NODATA answer.

RFC 1123 (STD 3), paragraph 6.1.3.5 says:

6.1.3.5  Extensibility

DNS software MUST support all well-known, class-independent
formats [DNS:2], and SHOULD be written to minimize the
trauma associated with the introduction of new well-known
types and local experimentation with non-standard types.

Both RFC 1034 and RFC 1123 considerably pre-date the IPv6 RFCs.

The DNS extensions for IPv6 are provided in RFC 1886 (Proposed Standard), and it defines the query type for AAAA records as type value 28.

Here's a handy list of the various DNS-related RFCs:

http://www.zoneedit.com/doc/rfc/

Re: ipv6 question

Mike_Swift — Thu, 27 Oct 2011 15:32:43 GMT

Matti

I understand from the RFC perspective, but the DNS team has sadi that the load generated from this particular client is too much to handle for the DNS server (AAAA queries). Is there anything we could do from the Linux side (OS Config) that could stop this load on the DNS Server?? Please advice..

Best Regrads

Mike

Re: ipv6 question

Mike_Swift — Thu, 27 Oct 2011 15:42:49 GMT

Hello Matti

I also noticed on this Linux Server which generates lot of bogus ipv6 AAAA quesries, there are 7 sub-domains listed in the /etc/resolv.conf search string. . Every time the “ssh” command is executed, there are 8 bogus IPv6 “AAAA” queries issued (which all fail), before finally the valid IPv6 “A” query is issued (and successfully resolves). When the “ssh” command is being used in monitoring scripts or some other transaction-oriented manner, there will be an exponential number of bogus IPv6 “AAAA” queries issued before the eventual IPv4 “A” query is issued. This is a problem with some applications running on the Linux servers. It also generates something of a DoS attack on production DNS servers. Strange it happens only on Linux running Redhat 4 and 5. All other OS seems OK

Best Regards

Mike

Re: ipv6 question

Matti_Kurkela — Fri, 28 Oct 2011 07:14:47 GMT

You might want to specify

AddressFamily inet   #IPv4 only

either in your global /etc/ssh/ssh_config or in user-specific ~/.ssh/config file. That will stop the ssh client from making the AAAA queries.

For other applications, you must find other application-specific solutions.

And if your resolv.conf search string causes the system to query for so many variations of the name, perhaps you should be using fully-qualified names when setting up your monitoring scripts or other "transaction-oriented" processes. Normally the cost of one DNS query is fairly small, but if you have a long search list and you know you will be making a lot of connections, a simple optimization (i.e. qualifying the names once at configuration time instead of repeatedly at runtime) would be wise.

For monitoring systems and other "heavy users" of DNS, you might even consider setting up a local caching-only DNS server on the query-generating host. You would set it to forward all queries (that cannot be answered with the already-cached information) to your regular DNS servers. If the TTL values of your regular DNS servers are sensible, the cache should end up answering most of the recurring DNS queries, minimizing the DNS-related network traffic required.