Troubleshooting “network unreachable” DNS Resolution Errors in BIND/named on CentOS Servers


1 views

These logs indicate your BIND (named) DNS server is failing to reach various root and TLD DNS servers over IPv6. The error patterns show:

error (network unreachable) resolving './DNSKEY/IN': 2001:503:ba3e::2:30#53
error (network unreachable) resolving 'dlv.isc.org/DNSKEY/IN': 2001:500:48::1#53

The primary issues stem from:

  • IPv6 connectivity problems (all failing addresses are IPv6)
  • DNSSEC validation attempts (visible in DNSKEY queries)
  • Legacy DLV (DNSSEC Lookaside Validation) configurations

Your named.conf shows several problematic settings:

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;  // Deprecated feature
allow-recursion { localnets; };

Option 1: Disable IPv6 resolution attempts

options {
    ...
    listen-on-v6 { none; };
    avoid-v4-udp-ports { 53; };
    prefer-internal;
};

Option 2: Modern DNSSEC configuration

dnssec-enable yes;
dnssec-validation yes;
# Remove dnssec-lookaside completely
managed-keys-directory "/var/named/dynamic";

The log entries showing denied queries for 'adobe.com' suggest external probing attempts. Consider adding:

allow-recursion { 
    127.0.0.1;
    192.168.0.0/16;  // Adjust to match your internal network
};

After making changes, verify with:

# Check configuration syntax
named-checkconf

# Reload BIND
systemctl reload named

# Monitor new logs
tail -f /var/log/messages | grep named

For persistent issues, consider:

# Test IPv6 connectivity
ping6 2001:503:ba3e::2:30

# Check routing tables
ip -6 route show

# Verify firewall rules
ip6tables -L -n -v

The log entries show repeated "network unreachable" errors when BIND (named) attempts to resolve various DNS records through IPv6 addresses. The key characteristics are:

error (network unreachable) resolving './DNSKEY/IN': 2001:503:ba3e::2:30#53
error (network unreachable) resolving 'dlv.isc.org/DNSKEY/IN': 2001:500:60::29#53
error (network unreachable) resolving 'ns1.isc.ultradns.net/A/IN': 2001:7fd::1#53

This typically occurs when:

  • Your server has IPv6 configured but lacks proper IPv6 connectivity
  • BIND is configured to use IPv6 nameservers for DNSSEC validation
  • The DNS root hints or forwarders include IPv6 addresses

Your current named.conf shows several relevant settings:

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

These indicate DNSSEC validation is active, which requires contacting various DNSSEC-aware servers, many of which have IPv6 addresses.

Option 1: Disable IPv6 in BIND

Modify your named.conf options section:

options {
    // ... existing options ...
    filter-aaaa-on-v4 yes;
    prefer-internal yes;
    avoid-v4-udp-ports { 53; };
};

Option 2: Proper IPv6 Network Configuration

Ensure IPv6 is properly configured if you want to support it:

# Check IPv6 connectivity
ping6 -c 4 2001:4860:4860::8888

# Verify routing
ip -6 route show

# Check DNS resolution
dig +short AAAA google.com

Option 3: Selective DNSSEC Configuration

Adjust DNSSEC settings if you don't require strict validation:

options {
    dnssec-validation no;
    dnssec-enable no;
};

The denied queries for adobe.com suggest possible DNS amplification attempts:

client 93.113.174.225#46368: query (cache) 'adobe.com/A/IN' denied

Consider adding rate limiting:

options {
    rate-limit {
        responses-per-second 10;
        window 5;
    };
};

After changes, verify with:

# Check named logs
tail -f /var/log/messages

# Test DNS resolution
dig @127.0.0.1 example.com +dnssec

# Check query statistics
rndc stats
cat /var/named/data/named_stats.txt