I've got IPv6 set up with an HE tunnel and I'm running NSD 3.2.4 on both my Linodes with nameservers ns1.jonfoster.org and ns2.jonfoster.org.

NSD is binding to udp/udp6 port 53 and tcp/tcp6 port 53.

My firewall is open for port 53 in both iptables and ip6tables for both udp and tcp.

I've got wireshark watching the DNS exchange and I see the standard DNS query/response on IPv6 but there is an additional line in the wireshark data that I don't understand:

958 202716.271255 2001:470:0:45::2 -> 2001:470:1f05:c23::a1 DNS Standard query AAAA devjonfos.net
959 202716.271513 2001:470:1f04:c23::2 -> 2001:470:0:45::2 DNS Standard query response AAAA 2001:470:1f05:e66::b1
960 202716.271967 2001:470:0:45::2 -> 2001:470:1f04:c23::2 ICMPv6 Unreachable (Port unreachable)

Which port is unreachable? Does this have something to do with DNS security?

Here's the raw data:

958 202716.271255 2001:470:0:45::2 -> 2001:470:1f05:c23::a1 DNS Standard query AAAA devjonfos.net

0000  fe fd ad e6 94 f2 00 12 f2 8f 79 08 08 00 45 00   ..........y...E.
0010  00 63 00 00 40 00 fc 29 8b 1a 48 34 68 4a ad e6   .c..@..)..H4hJ..
0020  94 f2 60 00 00 00 00 27 11 40 20 01 04 70 00 00   ..`....'.@ ..p..
0030  00 45 00 00 00 00 00 00 00 02 20 01 04 70 1f 05   .E........ ..p..
0040  0c 23 00 00 00 00 00 00 00 a1 59 09 00 35 00 27   .#........Y..5.'
0050  49 c1 aa a7 00 00 00 01 00 00 00 00 00 00 09 64   I..............d
0060  65 76 6a 6f 6e 66 6f 73 03 6e 65 74 00 00 1c 00   evjonfos.net....
0070  01                                                .

959 202716.271513 2001:470:1f04:c23::2 -> 2001:470:0:45::2 DNS Standard query response AAAA 2001:470:1f05:e66::b1

0000  00 12 f2 8f 79 08 fe fd ad e6 94 f2 08 00 45 00   ....y.........E.
0010  00 bd 00 00 40 00 ff 29 87 c0 ad e6 94 f2 48 34   ....@..)......H4
0020  68 4a 60 00 00 00 00 81 11 40 20 01 04 70 1f 04   hJ`......@ ..p..
0030  0c 23 00 00 00 00 00 00 00 02 20 01 04 70 00 00   .#........ ..p..
0040  00 45 00 00 00 00 00 00 00 02 00 35 59 09 00 81   .E.........5Y...
0050  b9 cf aa a7 84 00 00 01 00 01 00 02 00 00 09 64   ...............d
0060  65 76 6a 6f 6e 66 6f 73 03 6e 65 74 00 00 1c 00   evjonfos.net....
0070  01 09 64 65 76 6a 6f 6e 66 6f 73 03 6e 65 74 00   ..devjonfos.net.
0080  00 1c 00 01 00 00 0e 10 00 10 20 01 04 70 1f 05   .......... ..p..
0090  0e 66 00 00 00 00 00 00 00 b1 c0 1f 00 02 00 01   .f..............
00a0  00 00 0e 10 00 13 03 6e 73 31 09 6a 6f 6e 66 6f   .......ns1.jonfo
00b0  73 74 65 72 03 6f 72 67 00 c0 1f 00 02 00 01 00   ster.org........
00c0  00 0e 10 00 06 03 6e 73 32 c0 58                  ......ns2.X

960 202716.271967 2001:470:0:45::2 -> 2001:470:1f04:c23::2 ICMPv6 Unreachable (Port unreachable)

0000  fe fd ad e6 94 f2 00 12 f2 8f 79 08 08 00 45 00   ..........y...E.
0010  00 ed 00 00 40 00 fc 29 8a 90 48 34 68 4a ad e6   ....@..)..H4hJ..
0020  94 f2 60 00 00 00 00 b1 3a 40 20 01 04 70 00 00   ..`.....:@ ..p..
0030  00 45 00 00 00 00 00 00 00 02 20 01 04 70 1f 04   .E........ ..p..
0040  0c 23 00 00 00 00 00 00 00 02 01 04 18 8f 00 00   .#..............
0050  00 00 60 00 00 00 00 81 11 40 20 01 04 70 1f 04   ..`......@ ..p..
0060  0c 23 00 00 00 00 00 00 00 02 20 01 04 70 00 00   .#........ ..p..
0070  00 45 00 00 00 00 00 00 00 02 00 35 59 09 00 81   .E.........5Y...
0080  b9 cf aa a7 84 00 00 01 00 01 00 02 00 00 09 64   ...............d
0090  65 76 6a 6f 6e 66 6f 73 03 6e 65 74 00 00 1c 00   evjonfos.net....
00a0  01 09 64 65 76 6a 6f 6e 66 6f 73 03 6e 65 74 00   ..devjonfos.net.
00b0  00 1c 00 01 00 00 0e 10 00 10 20 01 04 70 1f 05   .......... ..p..
00c0  0e 66 00 00 00 00 00 00 00 b1 c0 1f 00 02 00 01   .f..............
00d0  00 00 0e 10 00 13 03 6e 73 31 09 6a 6f 6e 66 6f   .......ns1.jonfo
00e0  73 74 65 72 03 6f 72 67 00 c0 1f 00 02 00 01 00   ster.org........
00f0  00 0e 10 00 06 03 6e 73 32 c0 58                  ......ns2.X

This pattern repeats with other IPv6 DNS exchanges from other IPv6 addresses.

I don't know if this is helpful or not, but I got this when I did a quick test:

reply from unexpected source: 2001:470:1f04:c23::2#53, expected 2001:470:1f05:c23::a1#53

I'm guessing the reply is not coming from the destination the query was sent to.

--
Travis

Ahh, okay...so maybe it's the HE tunnel address that others see as opposed to the actual address that is set in the quad-A record and that might be causing the unreachable port messages.

BTW, were you actually able to get the quad-A record for ns1.jonfoster.org?

Yes, both A and AAAA records.

Default server: ns1.jonfoster.org.
Address: 2001:470:1f05:c23::a1#53
Default server: ns1.jonfoster.org.
Address: 173.230.148.242#53
> ns1.jonfoster.org.
;; reply from unexpected source: 2001:470:1f04:c23::2#53, expected 2001:470:1f05:c23::a1#53
Server:         ns1.jonfoster.org.
Address:        173.230.148.242#53

ns1.jonfoster.org       has AAAA address 2001:470:1f05:c23::a1
>

dnsmasq will, occasionally, try every resolver in its configuration for a question. The first one to answer gets nothing back, and the remainders get ICMP Port Unreachable (since dnsmasq closed up shop and moved on). That isn't what's happening here, but worth noting in the future...I just discovered this since I had six resolvers in my dnsmasq configuration.

_________________
Disclaimer: I am no longer employed by Linode; opinions are my own alone.