IPv6 DNS Server Configuration (BIND)

It is presumed that your name server is already configured and functional for the IPv4 queries, hence the next steps will just focus on the additional configuration that is needed for supporting IPv6 DNS queries. Let’s see how to do that.

0. Before we begin

Let’s consider, we have to configure our name servers with the following information:

Server IPv6 Address IPv4 Address
ns1 (Primary) 2001:db8:0:1::53 192.0.2.53
ns2 (Secondary) 2001:db8:0:2::53 203.0.113.53
www 2001:db8:0:3::80 192.0.2.80
mail 2001:db8:0:4::25 192.0.2.25
ftp 2001:db8:0:5::21 192.0.2.21

1. Prepare the Primary Server

Both network and host firewalls must allow incoming TCP and UDP traffic over port 53. Standard DNS requests occur over UDP port 53. However, if the response size is over 512 bytes, which may happen for IPv6 or for DNSSEC, the request will need to be sent over TCP port 53.

Zone transfers between the primary and secondary name servers will occur over TCP port 53.

firewall-cmd --permanent --zone=public --add-port=53/tcp
firewall-cmd --permanent --zone=public --add-port=53/udp
firewall-cmd --reload

2. Configure named.conf File

Now, the first step is to modify the named.conf file which usually preconfigured as a caching only name server.

vi /etc/named.conf

In order for the name server to respond to external requests over IPv6, it must listen on port 53. The configuration for IPv6 is similar as you may have done already for IPv4 which looks like listen-on port 53 { any; };

...
listen-on-v6 port 53 { any; };
...

Now, if you don’t need to allow recursion if may simple configure it as recursion no; or you can allow recursion using recursion yes; But, you may need to allow recursion for some specific IP prefixes. Here’s an example on how to allow recursion for the local server and a client prefix 2001:db8::/48.

...
allow-recursion { 192.0.2.0/24; 203.0.113.0/24; 2001:db8::/48; };
...

3. Configure Zone Information

After that, we need to configure the forward and reverse zone. You can configure it in the named.conf file or in the /etc/named.rfc1912.zones file if you have include "/etc/named.rfc1912.zones"; included in the named.conf

In this example, we’ll configure the zone information in the /etc/named.rfc1912.zones

vi /etc/named.rfc1912.zones

For the forward zone information, you don’t need to add any new zone entry. If you already have it for IPv4, that would work. Just add the IPv6 address of secondary DNS in the allow-transfer field.

zone "v6lab.org" IN {
    type master;
    file "for.db.v6lab.org";
    allow-transfer { 203.0.113.53; 2001:db8:0:2::53; };
};

For the reverse zone information, you need to add separate new zone information for IPv6. Here’s an example:

zone "0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa" { 
  type master; 
  file "rev.db.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa"; 
  allow-transfer { 2001:db8:0:2::53; };
 };

4. Configure Zone File

The forward zone file should include both A records and AAAA records. Here’s an example on how to do that. There are other similar ways to configure your resource records, but it’s just an example:

vi /var/named/for.db.v6lab.org
$TTL 3H
$ORIGIN v6lab.org.
@   IN SOA  ns1.v6lab.org.   root.v6lab.org. (
                                             1 ; serial
                                            3H ; refresh
                                            1H ; retry
                                            1W ; expire
                                            3H ) ; minimum
            IN   NS     ns1.v6lab.org.
            IN   NS     ns2.v6lab.org.
            IN   MX     10   host1.v6lab.org.
ns1         IN   A      192.0.2.53
            IN   AAAA   2001:db8:0:1::53
ns2         IN   A      203.0.113.53
            IN   AAAA   2001:db8:0:2::53
v6lab.org.  IN   A      192.0.2.80
            IN   AAAA   2001:db8:0:3::80
host1       IN   A      192.0.2.25
            IN   AAAA   2001:db8:0:4::25
www         IN   CNAME  v6lab.org.
mail        IN   CNAME  host1.v6lab.org.
ftp         IN   A      192.0.2.21
            IN   AAAA   2001:db8:0:5::21

The reverse zone file for IPv6 may be configured as:

vi /var/named/rev.db.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa
$TTL 3H
$ORIGIN 0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
@   IN SOA  ns1.v6lab.org.   root.v6lab.org. (
                                             1 ; serial
                                            3H ; refresh
                                            1H ; retry
                                            1W ; expire
                                            3H ) ; minimum
                                            IN    NS    ns1.v6lab.org.
                                            IN    NS    ns2.v6lab.org.
53.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0    IN    PTR   ns1.v6lab.org.
53.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0    IN    PTR   ns2.v6lab.org.
80.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0    IN    PTR   v6lab.org.
25.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.0.0    IN    PTR   host1.v6lab.org.
21.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.0.0.0    IN    PTR   ftp.v6lab.org.

Note: Modifying Zone File

Zone files can be modified on the primary name servers. Once resource records have been added, modified, or removed, you must increment the zone serial number. Here is the existing serial number of the v6lab.org zone.

...
@   IN SOA  ns1.v6lab.org.   root.v6lab.org. (
                                             0 ; serial
                                            3H ; refresh
...

If the initial serial number begins at 0, then the next value will be 1.

...
@   IN SOA  ns1.v6lab.org.   root.v6lab.org. (
                                             1 ; serial
                                            3H ; refresh
...

Once the zone serial number has been incremented, the zone needs to be reloaded. This can be done without restarting the namedprocess.

rndc reload v6lab.org

The reload will also initiate a zone transfer to the secondary server.

5. Configure Secondary Server

Log into the secondary server and modify the /etc/named.conf file to match that of the primary server.

vi /etc/named.conf

Once the file has been updated, the zone needs to be added to /etc/named.rfc1912.zones on the secondary server. For the forward zone:

zone "v6lab.org" IN {
    type slave;
    file "slaves/for.db.v6lab.org";
    masters { 192.0.2.53; 2001:db8:0:1::53; };
};

And, for the reverse zone:

zone "0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa" {
type slave;
file "slaves/rev.db.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa";
masters { 192.0.2.53; 2001:db8:0:1::53; };
};

6. Verify and Troubleshoot DNS Issues

If the secondary server can replicate the zone files from the master, you would be able to see the databases in the secondary server. Check it here:

cd /var/named/slaves

Syntax errors in the configuration files are easy to overlook. Therefore, it is always recommended to run named-checkconf before starting or restarting the named process.

named-checkconf

When problems occur, the named log file is the first place to start looking. The log file on CentOS will be found here:

/var/named/data/named.run

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.