If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!
I’m running a slave DNS server on the machine that runs this website. It is one of three DNS servers (one master, two slaves) that I have running for my multiple domains. I recently noticed from my Logwatch output that it was having issues with IPv6 lookups and these were causing timeouts and putting extra notices in my log files. I decided the best route would be to just turn off IPv6 in BIND altogether.
Configuring named
The named man page (man named) lists two options for supporting IPv4 or IPv6. Each of these commands are mutually exclusive, meaning using one of the options will not allow you to use the other. Either IPv4 or iPv6, not both. Now the default is to use both, so if you want to continue supporting lookups on IPv4 and IPv6 there is nothing more you need to do. If you want to *only* use one or the other you can use the -4 or -6 options in the configuration.
IPv4 only (/etc/default/bind9):
# run resolvconf?
RESOLVCONF=yes
# startup options for the server
OPTIONS="-4 -u bind"
IPv6 only (/etc/default/bind9):
# run resolvconf?
RESOLVCONF=yes
# startup options for the server
OPTIONS="-6 -u bind"
Once you have updated this file and defined the option you want, you’ll simply need to restart the BIND service and it’ll start listening on or or the other but, again, not both.
sudo /etc/init.d/bind9 restart
My BIND installation is now listening on only IPv4 and I have yet to see the same slowdown or amount of log output that I used to. I guess, when we start using IPv6 one of these days I’ll need to change it, but I don’t have a lot of faith in that happening anytime soon.
I was parsing through some of the logs on my new server tonite and I saw some unsuccessful ssh connection on ipv6. I thought I would mention quickly how you can disable listening on ipv6.
ListenAddress
The /etc/ssh/sshd_config file configures how your ssh daemon should run. By default it is likely listening on 0.0.0.0 (all ipv4 addresses) and :: (all ipv6), which is defined by two lines:
#ListenAddress 0.0.0.0
#ListenAddress ::
To configure your server to *not* listen on ipv6 you can remove that line. Now it might appear a bit confusing that the line we’re removing is commented out. That means its not reading that line, right? In this case it is displaying one of the default settings. I have altered my file to only listen on my public facing ipv4 address by removing the “::” listing, and specifically defining an ip instead of “0.0.0.0″.
Another solution which was brought to my attention by a comment is outlined here:
AddressFamily any # default
AddressFamily inet # IPv4 only
AddressFamily inet6 # IPv6 only
By defining the AddressFamily type that we want to use we can listen on both ipv4 and ipv6, just ipv4 or just ipv6. Find the line above in your config and define the AddressFamily you would prefer to listen on.
Once you update these lines you’ll need to restart your ssh service.
sudo /etc/init.d/ssh restart
Also, as a second measure you can firewall ipv6. I’ll be posting a firewall tutorial soon, but the below single command will block all incoming traffic on ipv6:
sudo ip6tables -P INPUT -j DROP
I found a really quick fix today for disabling ipv6 completely on Ubuntu 7.10 (not yet tested on previous versions). This might be of interest to some of you that have had networking problems, as I’ve heard disabling ipv6 at least within the browser has been a help here. This tutorial will disable ipv6 completely on the machine. At this point activating or disabling ipv6 probably wont make much of a difference as very few people actually implement or use ipv6. Unless you know you have a reason to need (or not need) this, you can probably safely leave it where it is.
Disabling ipv6 on Ubuntu 7.10
We’ll simply need to change a line in one of the configuration files that loads the ipv6 module to the kernel. As of yet I have not figured out a way to update this change outside of restarting the machine. If anyone has any suggestions on removing ipv6 “live” I would appreciate it.
Change the line is /etc/modprobe.d/aliases from:
alias net-pf-10 ipv6
to
alias net-pf-10 off
Again, at this point you’ll need to restart your machine for the change to take place. If anyone knows of a way to avoid the reboot I would appreciate it.