Many organizations operate in hybrid network environments where internal networks support both IPv4 and IPv6 (dual-stack), while external connectivity remains IPv4-only. This creates a particular challenge for DNS resolution where BIND may unnecessarily attempt IPv6 queries that will fail when reaching the IPv4-only internet gateway.
By default, BIND 9.x tries IPv6 first when resolving names, then falls back to IPv4 if the IPv6 attempt fails. This behavior is governed by the preferred-glue setting in named.conf:
options {
preferred-glue AAAA;
// Other options...
};To make BIND prefer IPv4 while maintaining IPv6 capability, modify your named.conf with these settings:
options {
preferred-glue A;
dual-stack-servers {
// List servers that are known to be IPv6-capable
// This allows IPv6 to work when available
"2001:4860:4860::8888"; // Google IPv6 DNS
"2606:4700:4700::1111"; // Cloudflare IPv6 DNS
};
// Prevent unnecessary IPv6 queries to non-IPv6 capable servers
avoid-v4-udp-ports { range 1 32767; };
avoid-v6-udp-ports { range 1 32767; };
};For environments where IPv6 connectivity is intermittent, consider these additional optimizations:
options {
// Reduce IPv6 timeout to fail faster
resolver-query-timeout 2000;
// Don't cache IPv6 failures too aggressively
max-cache-ttl 3600;
// Prefer IPv4 transport for queries
query-source-v4 address * port *;
query-source-v6 address * port *;
};For domains that you know have reliable IPv6 connectivity, you can create view-specific overrides:
view "ipv6-enabled-domains" {
match-clients { any; };
zone "ipv6.example.com" {
type forward;
forward only;
forwarders { 2001:db8::1; };
};
};To prevent log flooding from failed IPv6 attempts while maintaining visibility:
logging {
channel default_debug {
file "named.run";
severity dynamic;
// Filter out common IPv6 unreachable messages
print-severity yes;
print-time yes;
};
category default { default_debug; };
category unmatched { null; };
};After implementing these changes, verify your configuration with:
named-checkconf
rndc reconfig
dig +short +stats google.com
dig +short +stats -6 google.comMonitor your query patterns with:
rndc querylog
tcpdump -ni any port 53When running BIND 9.9 (or later versions) in dual-stack networks with IPv4-only Internet connectivity, administrators often face a dilemma. While we want to maintain IPv6 readiness for future connectivity, immediate IPv6 DNS queries to external resolvers result in unnecessary timeouts and log clutter.
By default, BIND attempts both IPv4 and IPv6 resolution with a slight preference for IPv6 in modern versions. The key parameters controlling this behavior are:
options {
// Existing configuration
prefer-ipv6 no;
dual-stack-servers no;
edns-udp-size 1232;
max-udp-size 1232;
};
To optimize resolution while maintaining IPv6 capability:
options {
// Force IPv4 preference
prefer-ipv6 no;
// Disable automatic IPv6 fallback for IPv4 failures
dual-stack-servers no;
// Optimize EDNS parameters
edns-udp-size 1232;
// Prevent IPv6 resolution attempts when IPv4 succeeds
resolver-query-timeout 3000;
max-recursion-queries 100;
max-recursion-depth 15;
};
For specific zones where IPv6 must always be attempted first:
zone "ipv6.example.com" {
type forward;
forwarders { 2001:db8::1; 2001:db8::2; };
forward only;
prefer-ipv6 yes; // Override global preference
};
After implementing these changes:
- Check query statistics with
rndc stats - Monitor resolution times via
dig +stat - Verify transport selection with
tcpdump -n port 53
When IPv6 connectivity becomes available, simply revert prefer-ipv6 to default (or set to yes) and adjust timeouts:
options {
prefer-ipv6 yes;
dual-stack-servers yes;
resolver-query-timeout 5000;
};