How to force DNS return AAAA record?
-
the hurricane electric dns server is on the google ipv6 whitelist. the public google dns servers are not.
-
When you fire nslookup in windows it will ask for a A record and if it found it will return the result. If it doesn't find the A record it will try the AAAA and if it find it will return that result.
To force nslookup to look for a AAAA record you have to tell it: "nslookup -type=aaaa www.google.com"
Your browser however, will generally prefer IPv6 if it find a valid IPv6 link to the Internet. Windows File Explorer will also prefer talking to Windows Shares over IPv6 (In Windows 7 / Windows 2008 at least).
So the reason why ipv6.google.com resolve automatically to an AAAA record is because it doesn't have a A record.
If you use Firefox, you can install a plugin that will show you the ip address of the server your are reaching and you'll see that when you have dual dns Firefox will prefer IPv6.
Edit: This is strange though, I've look on many dns server and www.google.com doesn't have a AAAA record. It seem that he.net did a trick to result that domain to an IPv6. Even the 8.8.8.8 Google dns server doesn't have a AAAA record for their main domain. I would suggest doing your tests with "he.net" they have dual record published on all dns server around the world.
Hi,
I am pretty sure that he.net DNS can return both AAAA and A records for www.google.com. I tried to remove all DNS server except he.net DNS and execute nslookup, one AAAA record with several A records are returned.
But 8.8.8.8 only return A records.
Yes, I know Latest Windows and Firefox prefer IPv6 address but I have installed Flagfox plugin for Firefox and I found www.google.com and plus.google.com and so on are still in IPv4 state. So I think pfsense query all DNS simultaneously and return the first response. This is not what I want. I wanna change it to query all DNS server one by one. This behavior can be change in monowall, but seems pfsense leak this option. -
Change line 1294 of /etc/inc/services.inc.
mwexec_bg("/usr/local/sbin/dnsmasq –local-ttl 1 --all-servers {$dns_rebind} --dns-forward-max=5000 --cache-size=10000 {$args}");
remove the --all-servers argument.
-
Change line 1294 of /etc/inc/services.inc.
mwexec_bg("/usr/local/sbin/dnsmasq –local-ttl 1 --all-servers {$dns_rebind} --dns-forward-max=5000 --cache-size=10000 {$args}");
remove the --all-servers argument.
hi,
Thanks for your help. However, I tried your method but nslookup still return me nothing on AAAA records:bear:~ bear$ nslookup -type=aaaa www.facebook.com
Server: 10.0.0.253
Address: 10.0.0.253#53Non-authoritative answer:
*** Can't find www.facebook.com: No answerAuthoritative answers can be found from:
bear:~ bear$ nslookup -type=aaaa www.google.com
Server: 10.0.0.253
Address: 10.0.0.253#53Non-authoritative answer:
www.google.com canonical name = www.l.google.com.Authoritative answers can be found from:
l.google.com
origin = ns1.google.com
mail addr = dns-admin.google.com
serial = 1461834
refresh = 900
retry = 900
expire = 1800
minimum = 60bear:~ bear$ nslookup -type=aaaa www.google.com
Server: 10.0.0.253
Address: 10.0.0.253#53Non-authoritative answer:
www.google.com canonical name = www.l.google.com.Authoritative answers can be found from:
bear:~ bear$
As you can see, nslookup sometimes return me a Authoritative Server, but sometimes it would return nothing. This situation is just as same as before.
Furthermore, if I remove 8.8.8.8 from the DNS list (The DNS list is "2001:470:20::2" and "74.82.42.42", both of them are he.net anycast DNS IP address), the AAAA response CAN be got – nslookup would return me the correct AAAA record.
According to these phenomenons, I think although I removed the "--all-servers" argument, DNS Forwarder still query all DNS servers and return the first response.BTW: Only for curious, why Google Public DNS Server cannot return correct AAAA records for Google Website? This is so interesting.
-
did you make sure to restart the dnsmasq process? I think it is shown on the services menu. You can also flush the DNS on windows with ipconfig /flushdns.
Google has stated explicitly that these will not respond with ipv6 addresses. I do believe that they are working with OpenDNS servers, but i am not sure.
-
did you make sure to restart the dnsmasq process? I think it is shown on the services menu. You can also flush the DNS on windows with ipconfig /flushdns.
Google has stated explicitly that these will not respond with ipv6 addresses. I do believe that they are working with OpenDNS servers, but i am not sure.
I have not only restarted the dnsmasq service, but also restarted my computer, nothing changed.
:-( -
I think you're hitting a limit of the old nslookup code. Use host and/or dig.
(All of these answers were obtained from my DNS forwarder on pfSense, from a client behind. DNS servers configured are also 8.8.8.8/8.8.4.4/he.net's v6 server)
$ host www.google.com www.google.com is an alias for www.l.google.com. www.l.google.com has address 74.125.73.103 www.l.google.com has address 74.125.73.99 www.l.google.com has address 74.125.73.147 www.l.google.com has address 74.125.73.106 www.l.google.com has address 74.125.73.105 www.l.google.com has address 74.125.73.104 www.l.google.com has IPv6 address 2607:f8b0:4001:c01::93 $ host -t aaaa www.google.com www.google.com is an alias for www.l.google.com. www.l.google.com has IPv6 address 2607:f8b0:4001:c01::93But if I try with nslookup:
$ nslookup -type=aaaa www.google.com Server: 192.168.20.1 Address: 192.168.20.1#53 Non-authoritative answer: www.google.com canonical name = www.l.google.com. Authoritative answers can be found from:And with dig
$ dig www.google.com ; <<>> DiG 9.6.3 <<>> www.google.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12821 ;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.google.com. IN A ;; ANSWER SECTION: www.google.com. 85265 IN CNAME www.l.google.com. www.l.google.com. 20 IN A 74.125.73.99 www.l.google.com. 20 IN A 74.125.73.147 www.l.google.com. 20 IN A 74.125.73.106 www.l.google.com. 20 IN A 74.125.73.105 www.l.google.com. 20 IN A 74.125.73.104 www.l.google.com. 20 IN A 74.125.73.103 $ dig aaaa www.google.com ; <<>> DiG 9.6.3 <<>> aaaa www.google.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57168 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.google.com. IN AAAA ;; ANSWER SECTION: www.google.com. 86353 IN CNAME www.l.google.com. www.l.google.com. 31 IN AAAA 2607:f8b0:4001:c01::93 -
not sure what meant by limitation of old nslookup code?
from my pfsense box
[2.1-DEVELOPMENT][admin@pfsense.local.lan]/root(9): nslookup
server 2001:470:20::2
Default server: 2001:470:20::2
Address: 2001:470:20::2#53
set type=AAAA
www.google.com
Server: 2001:470:20::2
Address: 2001:470:20::2#53Non-authoritative answer:
www.google.com canonical name = www.l.google.com.
www.l.google.com has AAAA address 2607:f8b0:4001:c01::93Authoritative answers can be found from:
Clearly if I ask a nameserver that is on the whitelist for google, ie he.net dns - then it returns the AAAA just fine.
Now I run unbound as my resolver on pfsense, and no AAAA is not returned
[2.1-DEVELOPMENT][admin@pfsense.local.lan]/root(10): nslookup
set type=AAAA
www.google.com
Server: 127.0.0.1
Address: 127.0.0.1#53Non-authoritative answer:
www.google.com canonical name = www.l.google.com.Authoritative answers can be found from:
l.google.com
origin = ns1.google.com
mail addr = dns-admin.google.com
serial = 1462047
refresh = 900
retry = 900
expire = 1800
minimum = 60 -
I meant there may be some quirk in nslookup because last I knew it wasn't actively maintained the way dig/host were. They may "do the right thing" where nslookup may not. Does it work with host or dig?
-
no why should it?, a AAAA query is a AAAA query - why would dig or host do it different?
The problem with his example is AAAA records are only for queries from whitelisted resolvers for www.google.com from my understanding.
I would suggest you play with a more open domain..
So that it would work on my network, which I really have no use for - I could care if I access www.google.com via IPv6, if I wanted to I would just resolve ipv6.google.com
ping6 ipv6.google.com
PING6(56=40+8+8 bytes) 2001:470:snipped:b85::2 –> 2607:f8b0:4001:c01::63
16 bytes from 2607:f8b0:4001:c01::63, icmp_seq=0 hlim=57 time=44.368 ms
16 bytes from 2607:f8b0:4001:c01::63, icmp_seq=1 hlim=57 time=45.041 msSo as you saw my local resolver which is not on the whitelist can not resolve AAAA for www.google.com but he dns can, so if I setup a specific forwarder for that domain in unbound then it works just fine.
[2.1-DEVELOPMENT][admin@pfsense.local.lan]/root(17): nslookup
set querytype=AAAA
www.google.com
Server: 127.0.0.1
Address: 127.0.0.1#53Non-authoritative answer:
www.google.com canonical name = www.l.google.com.
www.l.google.com has AAAA address 2607:f8b0:4001:c01::93I just setup
forward-zone:
name: "google.com"
forward-addr: 2001:470:20::2in my unbound config
now if I do ping6 for www.google.com it works
ping6 www.google.com
PING6(56=40+8+8 bytes) 2001:470:snipped:b85::2 –> 2607:f8b0:4001:c01::93
16 bytes from 2607:f8b0:4001:c01::93, icmp_seq=0 hlim=57 time=45.424 ms
16 bytes from 2607:f8b0:4001:c01::93, icmp_seq=1 hlim=57 time=44.976 msif I remove that forwarder, doesn't work again
ping6 www.google.com
ping6: Non-recoverable failure in name resolutionnslookup
set querytype=AAAA
www.google.com
Server: 127.0.0.1
Address: 127.0.0.1#53Non-authoritative answer:
www.google.com canonical name = www.l.google.com.Authoritative answers can be found from:
l.google.com
origin = ns2.google.com
mail addr = dns-admin.google.com
serial = 1462050
refresh = 900
retry = 900
expire = 1800
minimum = 60I would love to help the OP fix it whatever it is he is trying to fix, but Im a bit confused as what he wants exactly. From my understanding you can not query www.google.com AAAA unless your on a whitelist like the he dns. If that is what your using for your dns, then yeah www.google.com should return AAAA for you, if that is what you query for.
-
no why should it?, a AAAA query is a AAAA query - why would dig or host do it different?
I only mentioned that because I saw a difference in behavior there. When I used dig/host I got a AAAA reply. When I used nslookup I did not. Plus I've been hearing for years that nslookup is depreciated, and dig/host are preferred.
It may have been luck of the draw in which of my name servers got the query back first.
-
FYI-
http://cr.yp.to/djbdns/nslookup.html
http://homepages.tesco.net/J.deBoynePollard/FGA/nslookup-flaws.html
http://veggiechinese.net/nslookup_sucks.txt -
ok not understanding what those flaws or bugs have to do with trying to do AAAA from a server that is not a on whitelist for such a query?
Also that first link about soa and com, not really valid
sure looks to be working for me
nslookup
server m.gtld-servers.net
Default server: m.gtld-servers.net
Address: 192.55.83.30#53
set querytype=soa
com.
Server: m.gtld-servers.net
Address: 192.55.83.30#53com
origin = a.gtld-servers.net
mail addr = nstld.verisign-grs.com
serial = 1315847841
refresh = 1800
retry = 900
expire = 604800
minimum = 86400Returns same as a dig
dig @m.gtld-servers.net com. soa +short
a.gtld-servers.net. nstld.verisign-grs.com. 1315848068 1800 900 604800 86400all programs have their little quirks, but a query is a query is it not. Are you saying that nslookup does not do a standard AAAA query?
if I direct any query to a server that is whitelisted or query AAAA for www.google.com then it works, be it nslookup or dig
So if I just do a dig for www.google.com it does not respond with AAAA even if directed at he dns
; <<>> DiG 9.6.2-P2 <<>> @2001:470:20::2 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38203
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:
;www.google.com. IN A;; ANSWER SECTION:
www.google.com. 86337 IN CNAME www.l.google.com.
www.l.google.com. 293 IN A 74.125.225.82
www.l.google.com. 293 IN A 74.125.225.81
www.l.google.com. 293 IN A 74.125.225.80
www.l.google.com. 293 IN A 74.125.225.84
www.l.google.com. 293 IN A 74.125.225.83;; Query time: 37 msec
;; SERVER: 2001:470:20::2#53(2001:470:20::2)
;; WHEN: Mon Sep 12 12:28:12 2011
;; MSG SIZE rcvd: 132But if I tell it any or AAAA then sure it does
; <<>> DiG 9.6.2-P2 <<>> @2001:470:20::2 www.google.com any
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52243
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:
;www.google.com. IN ANY;; ANSWER SECTION:
www.google.com. 84639 IN CNAME www.l.google.com.
www.l.google.com. 77 IN AAAA 2607:f8b0:4001:c01::63
www.l.google.com. 114 IN A 74.125.225.84
www.l.google.com. 114 IN A 74.125.225.82
www.l.google.com. 114 IN A 74.125.225.81
www.l.google.com. 114 IN A 74.125.225.80
www.l.google.com. 114 IN A 74.125.225.83;; Query time: 45 msec
;; SERVER: 2001:470:20::2#53(2001:470:20::2)
;; WHEN: Mon Sep 12 12:29:19 2011
;; MSG SIZE rcvd: 160Same goes for nslookup
nslookup
server 2001:470:20::2
Default server: 2001:470:20::2
Address: 2001:470:20::2#53
set querytype=any
www.google.com
Server: 2001:470:20::2
Address: 2001:470:20::2#53Non-authoritative answer:
www.google.com canonical name = www.l.google.com.
Name: www.l.google.com
Address: 74.125.225.83
Name: www.l.google.com
Address: 74.125.225.80
Name: www.l.google.com
Address: 74.125.225.81
Name: www.l.google.com
Address: 74.125.225.82
www.l.google.com has AAAA address 2607:f8b0:4001:c01::69
Name: www.l.google.com
Address: 74.125.225.84I think we might of gotten off on the wrong foot?? I am just trying to figure out exactly what he wants to do, and nslookup works just fine for doing a Any or AAAA query for www.google.com - as long as you query a server that is on the whitelist and can query for it and get a response.
That being said its not my tool of choice either, I like dig much better! But a query is a query, any tool should send a standard query when asked to do so. If it does not follow the standards of the protocol for doing a query, its not going to get many answers at all.
-
ok not understanding what those flaws or bugs have to do with trying to do AAAA from a server that is not a on whitelist for such a query?
[…]
I think we might of gotten off on the wrong foot?? I am just trying to figure out exactly what he wants to do, and nslookup works just fine for doing a Any or AAAA query for www.google.com - as long as you query a server that is on the whitelist and can query for it and get a response.That being said its not my tool of choice either, I like dig much better! But a query is a query, any tool should send a standard query when asked to do so. If it does not follow the standards of the protocol for doing a query, its not going to get many answers at all.
I didn't say it had anything to do with that - I just observed differing behavior and knew nslookup to have flaws, and suggested another tool to better diagnose the issue.
-
hi,
I am running nslookup under Windows and I also tried "ping6", so I don't think this problem is caused by "nslookup". Only if I removed 8.8.8.8 from the DNS list it would never return me a AAAA record.
Without 8.8.8.8C:\Users\Bear>ping -6 google.com
Pinging google.com [2001:4860:4001:803::1014] with 32 bytes of data:
Reply from 2001:4860:4001:803::1014: time=527ms
Reply from 2001:4860:4001:803::1014: time=525ms
Reply from 2001:4860:4001:803::1014: time=532ms
Reply from 2001:4860:4001:803::1014: time=552msPing statistics for 2001:4860:4001:803::1014:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 525ms, Maximum = 552ms, Average = 534msC:\Users\Bear>
After added 8.8.8.8 to DNS list:
C:\Users\Bear>ping -6 google.com
Ping request could not find host google.com. Please check the name and try again
.C:\Users\Bear>
I also ping all DNS servers and tried to get the latency:
C:\Users\Bear>ping 8.8.8.8
Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=24ms TTL=51
Reply from 8.8.8.8: bytes=32 time=21ms TTL=51
Reply from 8.8.8.8: bytes=32 time=16ms TTL=51
Reply from 8.8.8.8: bytes=32 time=17ms TTL=51Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 16ms, Maximum = 24ms, Average = 19msC:\Users\Bear>ping 74.82.42.42
Pinging 74.82.42.42 with 32 bytes of data:
Request timed out.
Reply from 74.82.42.42: bytes=32 time=220ms TTL=53
Request timed out.
Request timed out.Ping statistics for 74.82.42.42:
Packets: Sent = 4, Received = 1, Lost = 3 (75% loss),
Approximate round trip times in milli-seconds:
Minimum = 220ms, Maximum = 220ms, Average = 220msC:\Users\Bear>ping 74.82.42.42
Pinging 74.82.42.42 with 32 bytes of data:
Request timed out.
Reply from 74.82.42.42: bytes=32 time=229ms TTL=53
Request timed out.
Reply from 74.82.42.42: bytes=32 time=206ms TTL=53Ping statistics for 74.82.42.42:
Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
Minimum = 206ms, Maximum = 229ms, Average = 217msC:\Users\Bear>ping 2001:470:20::2
Pinging 2001:470:20::2 with 32 bytes of data:
Reply from 2001:470:20::2: time=353ms
Reply from 2001:470:20::2: time=365ms
Reply from 2001:470:20::2: time=361ms
Reply from 2001:470:20::2: time=356msPing statistics for 2001:470:20::2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 353ms, Maximum = 365ms, Average = 358msC:\Users\Bear>
As you can see, 8.8.8.8 is the fastest DNS server here. So I think pfSense would return 8.8.8.8 response to clients, and 8.8.8.8 would never return a AAAA record. There is still another problem: more than half of the ICMP packets sent to 74.82.42.42 are lost. I have no idea why this happened.
BTW: I am in China mainland and I believe the so called Great-Firewall-of-China would return some faked DNS responses to me to block me from resolving some domains such as twitter.com, facebook.com, youtube.com and so on. GFW would return me a faked DNS response with a random(maybe?) A record and this response arrived to my computer before the true response. But GFW took no action on IPv6, so only a DNS with a IPv6 address is trustworthy. So I wanna pfSense prefer IPv6 DNS than IPv4 DNS server.
-
8.8.8.8 is not on the whitelist to return AAAA for google.com, so no its not going to work if your using 8.8.8.8 as your recursive server, ie you ask it to resolve www.google.com for you.
simple enough to test.
;; QUESTION SECTION:
;www.l.google.com. IN AAAA;; AUTHORITY SECTION:
l.google.com. 600 IN SOA ns3.google.com. dns-admin.google.com. 1462338 900 900 1800 60;; Query time: 69 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)Just leave the HE dns as your only forwarders and your fine.
as to why icmp is lost to a dns server, icmp is first thing dropped if busy.. Just because a server does not respond to icmp does not mean your having actual packet loss. Also could be just response time for your location for he dns is exceeding the timeout, have you tried pinging with a larger timeout?
–- 74.82.42.42 ping statistics ---
31 packets transmitted, 31 received, 0% packet loss, time 30188ms
rtt min/avg/max/mdev = 10.448/14.427/45.133/7.284 msi am not showing any loss, but your response time is quite high. Yes the he dns is anycasted, but where are they in the world? From the faq here are the currently locations from where google dns does its queries
http://code.google.com/speed/public-dns/faq.html#locations
If you want to only use dns via your ipv6 tunnel, then just use the he dns ipv6 address for your dns server 2001:470:20::2
If that is the only dns server you put in for your forwarder you should be golden, you can resolve google.com to its ipv6 and if you say the china firewall does not mess with traffic inside your ipv6 tunnel you should be able to resolve anything that way.
-
If you want to only use dns via your ipv6 tunnel, then just use the he dns ipv6 address for your dns server 2001:470:20::2
If that is the only dns server you put in for your forwarder you should be golden, you can resolve google.com to its ipv6 and if you say the china firewall does not mess with traffic inside your ipv6 tunnel you should be able to resolve anything that way.
hi,
Just leave IPv6 DNS server in the DNS list is impossible. For I am a dynamic IP user and I use HE.net tunnel broker to establish a IPv6 tunnel, I have to update my tunnel endpoint at first. Without a IPv4 DNS server, this is impossible to complete. :( -
How is that?? You create the tunnel with an IP! dns has nothing to do with establishing the tunnel.
-
How is that?? You create the tunnel with an IP! dns has nothing to do with establishing the tunnel.
If your IP changes you have to look up ipv4.tunnelbroker.net and push an update to their server that reconnects the IPv6 tunnel. Until your IPv6 tunnel comes back up you cannot reach an IPv6 DNS server. Chicken-and-egg problem.
Anyone tried using unbound and letting it talk to the roots? Does that work around this?
-
I use unbound to talk to roots, but it is not on the whitelist.
If your IP is changing that often, and you need to change your IP on ipv4.tunnelbroker.net – how about just putting in a HOST entry for that??
You sure an the hell do not need dns to resolve 1 host. What now your going to say the ip for ipv4.tunnelbroker.net is changing? ;)
