Haha, do you like acronyms as much as I do? This article is about the feature from Palo Alto Networks’ Next-Generation Firewall for Internet Protocol version 6 Neighbor Discovery Protocol Router Advertisements with Recursive Domain Name System Server and Domain Name System Search List options. ;) I am showing how to use it and how Windows and Linux react to it.
I am using a PA-200 firewall with PAN-OS 8.0.3. The two features (RDNSS & DNSSL) are new since PAN-OS version 8.0 and are specified in RFC 6106, IPv6 Router Advertisement Options for DNS Configuration. (Shit, I just saw that it is already obsoleted by RFC 8106. Anyway…) Using router advertisements along with the RDNSS option allows an IPv6-only host to be operational without the need of stateless DHCPv6 for getting the DNS server. Great.
Windows & Linux Before RDNSS
Before I configured the option on the Palo Alto firewall I captured the network settings as well as a basic DNS request on a Windows 7 machine and a Ubuntu 16.04.2 LTS. Note that the DNS queries are sent via legacy IP (IPv4) since the DNS server was known through DHCPv4 only.
Windows:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
C:\Users\weberjoh>ipconfig/all Ethernet-Adapter LAN-Verbindung: Verbindungsspezifisches DNS-Suffix: webernetz.net Beschreibung. . . . . . . . . . . : Intel(R) PRO/1000 MT-Netzwerkverbindung Physikalische Adresse . . . . . . : 00-0C-29-C1-34-DC DHCP aktiviert. . . . . . . . . . : Ja Autokonfiguration aktiviert . . . : Ja IPv6-Adresse. . . . . . . . . . . : 2003:51:6012:125:3c74:abbf:8d03:3688(Bevorzugt) Temporäre IPv6-Adresse. . . . . . : 2003:51:6012:125:a106:26a:9c02:a65b(Bevorzugt) Verbindungslokale IPv6-Adresse . : fe80::3c74:abbf:8d03:3688%10(Bevorzugt) IPv4-Adresse . . . . . . . . . . : 192.168.125.10(Bevorzugt) Subnetzmaske . . . . . . . . . . : 255.255.255.0 Lease erhalten. . . . . . . . . . : Samstag, 17. Juni 2017 22:11:48 Lease läuft ab. . . . . . . . . . : Donnerstag, 22. Juni 2017 10:11:51 Standardgateway . . . . . . . . . : fe80::b60c:25ff:fe05:8e13%10 192.168.125.1 DHCP-Server . . . . . . . . . . . : 192.168.125.1 DNS-Server . . . . . . . . . . . : 192.168.120.22 NetBIOS über TCP/IP . . . . . . . : Aktiviert C:\Users\weberjoh> C:\Users\weberjoh> C:\Users\weberjoh>nslookup weberblog.net Server: int-dns.webernetz.net Address: 192.168.120.22 Nicht autorisierende Antwort: Name: weberblog.net Addresses: 2a01:488:42:1000:50ed:8588:8a:c570 5.35.226.136 |
Linux:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
weberjoh@jw-vm03-Ubuntu-Test-1:~$ cat /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 192.168.120.22 search webernetz.net weberjoh@jw-vm03-Ubuntu-Test-1:~$ weberjoh@jw-vm03-Ubuntu-Test-1:~$ weberjoh@jw-vm03-Ubuntu-Test-1:~$ dig weberblog.net ; <<>> DiG 9.10.3-P4-Ubuntu <<>> weberblog.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42994 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;weberblog.net. IN A ;; ANSWER SECTION: weberblog.net. 27344 IN A 5.35.226.136 ;; AUTHORITY SECTION: webernetz.net. 113725 IN NS ns1.hans.hosteurope.de. webernetz.net. 113725 IN NS ns2.hans.hosteurope.de. ;; Query time: 1 msec ;; SERVER: 192.168.120.22#53(192.168.120.22) ;; WHEN: Wed Jun 21 21:24:53 CEST 2017 ;; MSG SIZE rcvd: 117 |
Palo Alto IPv6 DNS Support
The RDNSS & DNSSL settings are, as always, configurable through the great GUI from Palo Alto Networks. They are at the network interfaces (in my case layer 3 subinterfaces) -> IPv6 -> DNS Support. Note that the “Enable Router Advertisement” checkmark on the “Router Advertisement” tab must be enabled because otherwise no RAs would be sent at all. ;) And don’t forget to commit.
Here are my settings. I am using my BIND recursive DNS server along with a DNS suffix:
Capturing with Wireshark you can see the two new options within the RA:
(By the way: Note that PAN sends its “prefix information” with the IPv6 address of the interface rather than the mere prefix. In my case, it sends 2003:51:6012:125::1/64 rather than 2003:51:6012:125::/64 . This is ok due to RFC 4861, section 4.6.2 though a bit irritating from my point of view. A short discussion about that on Twitter.)
Windows & Linux with RDNSS
I gathered the same information as before from Windows and Linux. Disillusion: Nothing changed. Neither Windows nor Linux are using the RDNSS/DNSSL options. ;( What a mess. It’s such a great option which could eliminate the need for a stateless DHCPv6 server. A short discussion about Windows support for RDNSS is here.
At least for Linux, I found a really simple way to use it though: rdnssd – IPv6 Recursive DNS Server discovery Daemon. After installing it ( sudo apt-get install rdnssd ) the Ubuntu machine learned and used the IPv6-enabled DNS server:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
weberjoh@jw-vm03-Ubuntu-Test-1:~$ cat /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 2003:51:6012:120::a08:53 nameserver 192.168.120.22 search webernetz.net weberjoh@jw-vm03-Ubuntu-Test-1:~$ weberjoh@jw-vm03-Ubuntu-Test-1:~$ weberjoh@jw-vm03-Ubuntu-Test-1:~$ dig weberblog.net ; <<>> DiG 9.10.3-P4-Ubuntu <<>> weberblog.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56056 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;weberblog.net. IN A ;; ANSWER SECTION: weberblog.net. 24662 IN A 5.35.226.136 ;; AUTHORITY SECTION: webernetz.net. 111043 IN NS ns1.hans.hosteurope.de. webernetz.net. 111043 IN NS ns2.hans.hosteurope.de. ;; Query time: 1 msec ;; SERVER: 2003:51:6012:120::a08:53#53(2003:51:6012:120::a08:53) ;; WHEN: Wed Jun 21 22:09:35 CEST 2017 ;; MSG SIZE rcvd: 117 |
Yeah. ;)
Conclusion
One more time I am happy that Palo Alto Networks really enhances its platform and its IPv6 support with every new PAN-OS version. RDNSS is only one of many points. However, as long as Microsoft will not use this feature customers will need a stateless DHCPv6 server for delivering the DNS server to the clients. But this feature is still missing on Palo Alto firewalls. ;(
Featured image: “Outdoor Bücher” by Robert Agthe is licensed under CC BY 2.0.
good article! If i am not mistaken Windows 10 will support RDNSS with one of the creator updates (or already does,not sure)