• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

help: resolving against root servers behind Toastman TomatoUSB IPv6 tunnel

Started by oaguirre, October 28, 2012, 11:39:51 AM

Previous topic - Next topic

oaguirre

Hello gurus. first of all, please accept my apologies for asking this in my first post to this forum... but I dont know where else to go to ask for assistance/help and feel like at a dead end for me
I've been trying to figure this out for several days now, have searched the errors and tried several named options without success. I dont know where to ask this so I place it here as a starting point as I saw several other questions related with more general topics and right now, I cannot grasp what is this problem related with. I know it is a bit huge text, so feel free to disregard ...

infraestructure: DSL link with a local ISP with no IPv6 support connected to a netgear router with a Toastman TomatoUSB v1.28, IPv6 support. Toshiba Laptop with Ubuntu 12.04 with bind/named, postfix, apache, etc. connected via wifi to the local router.

pre situation:
I had a "stardard" bind/named configuration, no forwarders, machine using loopback as nameserver, everything worked ok, I could browse, etc.

then one day, I decided to start learning IPv6 and found this wonderfull place, HE. Opened an account, follow several guides, setup the tunnel, did several basic tests, including test-ipv6.com, up to now, everything worked ok.

I then decided to give it a try with the certification process and started doing the configuration of the local dns to serve a lent subdomain allocated in godaddy, tried opening the ports on the router, etc...

all this worked well until I tried to work again without forwarder, and replaced my laptop's resolv.conf that was poiting to the router to use the local bind/named in order to do all the test, pings, digs, traceroutes, etc...

I am not sure at all when this started to work but the thing is, the bind/named installed in
my laptop does not resolve any names, 4 or 6, when I use the root hints but works when I
enable the forwarders section in the options.

the error I'm getting in the daemon.log file is:
Oct 28 13:22:19 Legolas named[11804]: DNS format error from 192.33.4.12#53 resolving ./NS: non-improving referral
Oct 28 13:22:19 Legolas named[11804]: error (FORMERR) resolving './NS/IN': 192.33.4.12#53
Oct 28 13:22:19 Legolas named[11804]: DNS format error from 192.58.128.30#53 resolving ./NS: non-improving referral
Oct 28 13:22:19 Legolas named[11804]: error (FORMERR) resolving './NS/IN': 192.58.128.30#53
Oct 28 13:22:19 Legolas named[11804]: DNS format error from 193.0.14.129#53 resolving ./NS: non-improving referral
Oct 28 13:22:19 Legolas named[11804]: error (FORMERR) resolving './NS/IN': 193.0.14.129#53

strage thing is, I can get all the info about a domain or the domain part of the name,
but not the IP of the name itself, even though I have recursion on and allows on the local IPs and localnets ....

for example, with he.net, with (uncommented) forwarders :
; <<>> DiG 9.8.1-P1 <<>> ipv6.he.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36211
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;ipv6.he.com.                   IN      A

;; ANSWER SECTION:
ipv6.he.com.            0       IN      A       67.215.65.132

;; AUTHORITY SECTION:
.                       518388  IN      NS      i.root-servers.net.
...
.                       518388  IN      NS      h.root-servers.net.

;; Query time: 189 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Oct 28 13:51:41 2012
;; MSG SIZE  rcvd: 256



then, after commenting out the forwarders section:
; <<>> DiG 9.8.1-P1 <<>> ipv6.he.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43263
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ipv6.he.com.                   IN      A

;; Query time: 183 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Oct 28 13:52:10 2012
;; MSG SIZE  rcvd: 29




this is my named.conf.options file:
acl internal-net {
        127.0.0.1;
        10.0.1.0/24; 
        ::1/128;
fc00::/7;
fe80::/10;
};
acl global-interfaces {
2001:xxx:xx:be4:221::/64;
2001:xxx:xx:be4:4d04::/64;
};
acl local-int {
        127.0.0.1;
        ::1/128;
fc00::/7;
fe80::/10;
};

options {

directory "/var/cache/bind";
version "[NONE]";


// forwarders {
// 8.8.8.8;
// 10.0.1.253;
// 200.44.32.12;
// };

auth-nxdomain no;    # conform to RFC1035
listen-on-v6 {
any;
};

listen-on { any; };

    // Prevent DoS attacks by generating bogus zone transfer
    // requests.  This will result in slower updates to the
    // slave servers (e.g. they will await the poll interval
    // before checking for updates).
    notify no;

    // Generate more efficient zone transfers.  This will place
    // multiple DNS records in a DNS message, instead of one per
    // DNS message.
transfer-format many-answers;

allow-query { internal-net;global-interfaces;};
allow-query-on {local-int;};
// allow-query-cache-on {local-int;};
allow-transfer { internal-net;};
recursion yes;
// If recursion yes; (default) then, if allow-recursion is NOT present,
// defaults to allow-query-cache {localnets; localhost;};. Local cache
// access permitted to localnets and localhost only.
// allow-recursion { internal-net;};

// zone not signed
dnssec-enable no;

};


I had the ports 41, 53, udp and tcp, forwared in the router to one of
my global IPv6 addresses, and disabled this redirection, tried and
found that this does not affect the outcome.

I dont know if this has something to do with the  tomato
toastman's or the firewall implementation in it, I also tried these
ip6table rules (in the firewall script section) to see if I could
open up the ports to 'traverse' the router,

ip6tables -A FORWARD --match state --state INVALID --jump DROP
ip6tables -A FORWARD --match state --state ESTABLISHED,RELATED --jump ACCEPT
ip6tables -A FORWARD --match state --state new --protocol tcp --match multiport --destination-ports domain,http,smtp,41 --jump ACCEPT
ip6tables -A FORWARD --match state --state new --protocol udp --match multiport --destination-ports domain,41 --jump ACCEPT
ip6tables -A INPUT --match state --state INVALID --jump DROP
ip6tables -A INPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT
ip6tables -A INPUT --in-interface lo --jump ACCEPT
ip6tables -A INPUT --protocol icmpv6 --jump ACCEPT
ip6tables -A INPUT --protocol udp --dport 500 --jump ACCEPT
ip6tables -A INPUT --protocol esp --jump ACCEPT
#ip6tables -A INPUT --match ah --ahlen 32 --jump ACCEPT #dont know what to do with this right now.
ip6tables -A INPUT --protocol tcp --dport ssh --jump ACCEPT
ip6tables -A OUTPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT


but still accomplished nothing...

any ideas on what to test or what to do? pointers?
I know the server will work fine with the forwarders but, truth be told, I really want to use the hints instead and try to understand what and where the problem is, and more important, try to solve it, if such a solution exists.


thanks in advance.