When I run
dig @fdaa::3 a myservice.internal, I get an
dig aaaa myservice.internal gives me an IPv6 address, as expected.
Should the DNS server be returning
NOERROR instead of
NXDOMAIN for A queries? My understanding from some quick reading is that DNS servers should only return
NXDOMAIN if there are no records for that resource. (like in this vulnerability)
I noticed this because I’m trying to set
fdaa:3 as a resolver for nginx, and I think nginx is be interpreting the
NXDOMAIN response for its A query as “this domain doesn’t exist, give up now” and so it’s failing to resolve the domain even though there’s an IPv6 record available.