Disable IPv6 lookups with Bind on RHEL or CentOS

Discovered during a recent project. Bind / Named was constantly spamming the logs about it being unable to reach root servers. The logs revealed that we were talking IPv6 addresses. Which was assumed to be disabled.

The less cool part was that in “/etc/named.conf” the following was commented out.

//      listen-on-v6 port 53 { ::1; };

It turns out that to disable the IPv6 lookups you have to edit “/etc/sysconfig/named” and set

OPTIONS="-4"

The option does the following

Use IPv4 only even if the host machine is capable of IPv6. -4 and -6 are mutually exclusive.

You then run

service named restart

This serves the very practical purpose of not spamming the logs. My ISP has yet to enable IPv6 so it does me no good.

// CrashMAG

11 thoughts on “Disable IPv6 lookups with Bind on RHEL or CentOS”

  1. No


    Nov 22 11:02:18 xxxxx named[6968]: network unreachable resolving 'clipping-path.dk/MX/IN': 2001:678:78:42:ad::53#53
    Nov 22 11:02:18 xxxxx named[6968]: network unreachable resolving 'clipping-path.dk/MX/IN': 2001:7f8:1f::1835:242:0#53

    log entries any more!

    thanks… 🙂

  2. Hi CrashMag,

    Can’t thank you enough for this.

    I’ve been going nuts trying to figure out how to disable IPV6 lookups!

    I felt just like Daniel did!

    Adding -4 Option to my /etc/sysconfig/named and bouncing named helped!

    For any one wondering about this working on RHEL/CENTOS 7
    It does. (“#systemctl restart named” does the trick after changing the named file.)

    But thank you!
    Jay

  3. That’s just wrong way of going it.

    The right way is to:

    1. listen-on-v6 { none; };
    2. controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { YOURKEYHERE; }; };

    The warnings you see in the logs are default control channel trying to bind to IPv6 even if IPv6 stack is not present. Restricting control channel explicitly to IPv4 only takes care of the issue.
    That’s all. No need to play with switches you’d forget to put back in order after five years.

  4. For me on my Raspberry Pi with Raspian it doesn’t work.

    I tried changing the switch in /etc/default/bind9 to “-4 -u bind”.

    I also added to “/etc/bind/named.conf.local”:
    controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { MyKeyName }; };

    The problem is, I still got error messages regarding IPv6 resolving like:
    error (network unreachable) resolving ‘atalante.stanford.edu/A/IN’: 2001:500:3::42#53

Leave a Reply

Your email address will not be published. Required fields are marked *

*