Don't accept RDNSS from router announcements in Linux
I have an Ubuntu 20.04 router that uses its own IP as DNS server obtained from router announcements, creating DNS loops. I can't figure out how to ignore RDNSS (recursive DNS server) from router announcements.
Loop:
Jan 19 17:26:28 myrouter dnsmasq[1074014]: query[AAAA] mobile.events.data.trafficmanager.net from fe80::21b:21ff:fee0:a6b3
Jan 19 17:26:28 myrouter dnsmasq[1074014]: forwarded mobile.events.data.trafficmanager.net to 127.0.0.53
Jan 19 17:26:28 myrouter dnsmasq[1074014]: query[AAAA] mobile.events.data.trafficmanager.net from fe80::21b:21ff:fee0:a6b3
Jan 19 17:26:28 myrouter dnsmasq[1074014]: forwarded mobile.events.data.trafficmanager.net to 127.0.0.53
Network setup:
- eth0 = not used.
- eth1 = WAN.
99.99.99.162/24,2a01:xx:xx:xx::2/126 - eth2 = LAN1.
10.50.0.1/16,2a01:xx:xx:1337:10:50:0:1/64 - more LANs, not relevant
network:
version: 2
renderer: networkd
ethernets:
eth1:
match:
macaddress: "00:1b:21:e0:a6:b2" <-- non-obfuscated
set-name: eth1
addresses:
- 99.99.99.162/24
- 2a01:xx:xx:xx::2/126
gateway4: 99.99.99.161
gateway6: 2a01:xx:xx:xx::1
nameservers:
addresses:
- 33.33.33.10
- 44.44.44.10
search: [ company, company.nl ]
eth2:
match:
macaddress: "00:1b:21:e0:a6:b3" <-- non-obfuscated; will appear as IPv6 fe80
set-name: eth2
addresses:
- 10.50.0.1/16
- 2a01:xx:xx:1337:10:50:0:1/64
nameservers:
addresses:
- 33.33.33.10
- 44.44.44.10
Dnsmasq binds on all except eth1 and lo. Radvdump shows that after restart of dnsmasq, it sends out a router advertisement with fe80::21b:21ff:fee0:a6b3 as RDNSS (recursive DNS server). Our clients don't seem to pick it up, and only use the IPv4 one. But, the router itself does:
Link 5 (eth2)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: 33.33.33.10
DNS Servers: 44.44.44.10
33.33.33.10
fe80::21b:21ff:fee0:a6b3 <- appears a short while after 'netplan try'
I tried disabling it:
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.lo.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0
But no luck. Any ideas?
Solution 1:
It's not the kernel's job to update nameservers based on RDNSS. It's done via whatever you use to manage your network connections.
edit Misunderstood what you wanted, thought of a way too complicated scenario. Rephrasing it slightly: "Having a static ipv4 and v6 setup, netplan does SLAAC anyway. Why?"
To fix this, include
accept-ra: false
in your netplan config for the desired interface(s), source.
For completeness sake, here's a sample config for a freshly provisioned Ubuntu 20.10 box:
network:
ethernets:
enp0s3:
dhcp4: false
dhcp6: false
accept-ra: false
addresses:
- 192.168.1.x/24
- 2001:DB8::64/64
gateway4: 192.168.1.1
gateway6: 2001:DB8::1
nameservers:
addresses:
- 192.168.1.1
version: 2
The following was "I want SLAAC, but without RDNSS!":
In Ubuntu's case, it's managed with netplan. When testing it, I was unable to use SLAAC without RDNSS. I suggest setting your IPv6 address statically.
Here's from netplan's manpage:
dhcp6 (bool)
Enable DHCP for IPv6. Off by default. This covers both stateless DHCP - where the DHCP server supplies information like DNS nameservers but not the IP address - and stateful DHCP, where the server provides both the address and the other information.
If you are in an IPv6-only environment with completely stateless autoconfiguration (SLAAC with RDNSS), this option can be set to cause the interface to be brought up. (Setting accept-ra alone is not sufficient.) Autoconfiguration will still honour the contents of the router advertisement and only use DHCP if requested in the RA.
Note that rdnssd(8) is required to use RDNSS with networkd. No extra software is required for NetworkManager.
[...]
If both dhcp4 and dhcp6 are true, the networkd backend requires that dhcp4-overrides and dhcp6-overrides contain the same keys and values. If the values do not match, an error will be shown and the network configuration will not be applied.