Nsd via ipv6 on port 53 not reachable

Hi, since v0.15 I’ve noticed, that something is wrong with IPv6 on my system .
The status check reports Public DNS (nsd4) is running and available over IPv4 but is not accessible over IPv6 at 2a01:xxx:120:404a::2 port 53.
I am unsure whether this has to do with MIAB or something else.

The IPv6 is public, pingable and the domain resolves to the IP but port 53 is closed - even locally on the server with “localhost” as address:

nmap -p 53 -6 2a01:xxx:120:404a::2   

Starting Nmap 6.47 ( http://nmap.org ) at 2016-01-12 11:17 CET
Nmap scan report for confab.example.com (2a01:xxx:120:404a::2)
Host is up (0.030s latency).
PORT   STATE  SERVICE
53/tcp closed domain

Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds

but nsd is listening on port 53:

lsof -i :53
COMMAND  PID     USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
nginx   2112 www-data   16u  IPv4  18854      0t0  UDP localhost.localdomain:38573->localhost.localdomain:domain 
nginx   2113 www-data   15u  IPv4  25600      0t0  UDP localhost.localdomain:47345->localhost.localdomain:domain 
named   3670     bind   20u  IPv4  17389      0t0  TCP localhost.localdomain:domain (LISTEN)
named   3670     bind  512u  IPv4  17388      0t0  UDP localhost.localdomain:domain 
named   3670     bind  513u  IPv4  17388      0t0  UDP localhost.localdomain:domain 
named   3670     bind  514u  IPv4  17388      0t0  UDP localhost.localdomain:domain 
named   3670     bind  515u  IPv4  17388      0t0  UDP localhost.localdomain:domain 
named   3670     bind  516u  IPv4  17388      0t0  UDP localhost.localdomain:domain 
named   3670     bind  517u  IPv4  17388      0t0  UDP localhost.localdomain:domain 
named   3670     bind  518u  IPv4  17388      0t0  UDP localhost.localdomain:domain 
named   3670     bind  519u  IPv4  17388      0t0  UDP localhost.localdomain:domain 
nsd     4278      nsd    3u  IPv4  23764      0t0  UDP confab.example.com:domain 
nsd     4278      nsd    4u  IPv6  23765      0t0  UDP [2001:xxx:1000:a:8000:0:4e2e:4942]:domain 
nsd     4278      nsd    5u  IPv4  23766      0t0  TCP confab.example.com:domain (LISTEN)
nsd     4278      nsd    6u  IPv6  23767      0t0  TCP [2001:xxx:1000:a:8000:0:4e2e:4942]:domain (LISTEN)
nsd     4281      nsd    3u  IPv4  23764      0t0  UDP confab.example.com:domain 
nsd     4281      nsd    4u  IPv6  23765      0t0  UDP [2001:xxx:1000:a:8000:0:4e2e:4942]:domain 
nsd     4281      nsd    5u  IPv4  23766      0t0  TCP confab.example.com:domain (LISTEN)
nsd     4281      nsd    6u  IPv6  23767      0t0  TCP [2001:xxx:1000:a:8000:0:4e2e:4942]:domain (LISTEN)
nsd     4284      nsd    3u  IPv4  23764      0t0  UDP confab.example.com:domain 
nsd     4284      nsd    4u  IPv6  23765      0t0  UDP [2001:xxx:1000:a:8000:0:4e2e:4942]:domain 
nsd     4284      nsd    5u  IPv4  23766      0t0  TCP confab.example.com:domain (LISTEN)
nsd     4284      nsd    6u  IPv6  23767      0t0  TCP [2001:xxx:1000:a:8000:0:4e2e:4942]:domain (LISTEN)

And the firewall does not block port 53:

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere
53                         ALLOW       Anywhere
25/tcp                     ALLOW       Anywhere
587                        ALLOW       Anywhere
993                        ALLOW       Anywhere
80                         ALLOW       Anywhere
443                        ALLOW       Anywhere
995                        ALLOW       Anywhere
22 (v6)                    ALLOW       Anywhere (v6)
53 (v6)                    ALLOW       Anywhere (v6)
25/tcp (v6)                ALLOW       Anywhere (v6)
587 (v6)                   ALLOW       Anywhere (v6)
993 (v6)                   ALLOW       Anywhere (v6)
80 (v6)                    ALLOW       Anywhere (v6)
443 (v6)                   ALLOW       Anywhere (v6)
995 (v6)                   ALLOW       Anywhere (v6)

Also really strange: After a day or a few I have to reboot the server, because the public IPv6 becomes unreachable. I’ve already contacted the hosting company but they’ve found nothing suspicious. The server (dedicated not virtual) is a fresh install and currently running on Ubuntu 14.04.3 LTS. All I’ve installed was MIAB + nmap.

Does anyone have an idea what’s going on or what could be the cause for this?

Ok fixed it.

A few things happened:

  1. /etc/nsd/nsd.conf needs explicit the port: 53 setting (fixes the main problem)
  2. The glue records were missing the IPv6 addresses (my fault)

IIRC the nsd.conf will be overwritten every time I run the MIAB setup and the setup/dns.sh does not contain port setting, so I wonder if this is a bug or any misconfiguration on my machine?

Port 53 is the default for nsd.conf, so it shouldn’t be necessary…

“Shouldn’t be” - you’re absolutely right - because it should default to 53 (looked up the nsd source code for that) but did not in this particular case. Very weird!

For now everything works perfectly but I still wonder why it did not default to 53.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.