How to force DNS return AAAA record?

johnpoz

not sure what meant by limitation of old nslookup code?

from my pfsense box

[2.1-DEVELOPMENT][admin@pfsense.local.lan]/root(9): nslookup

server 2001:470:20::2
Default server: 2001:470:20::2
Address: 2001:470:20::2#53
set type=AAAA
www.google.com
Server:        2001:470:20::2
Address:        2001:470:20::2#53

Non-authoritative answer:
www.google.com  canonical name = www.l.google.com.
www.l.google.com        has AAAA address 2607:f8b0:4001:c01::93

Authoritative answers can be found from:

Clearly if I ask a nameserver that is on the whitelist for google, ie he.net dns - then it returns the AAAA just fine.

Now I run unbound as my resolver on pfsense, and no AAAA is not returned

[2.1-DEVELOPMENT][admin@pfsense.local.lan]/root(10): nslookup

set type=AAAA
www.google.com
Server:        127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
www.google.com  canonical name = www.l.google.com.

Authoritative answers can be found from:
l.google.com
        origin = ns1.google.com
        mail addr = dns-admin.google.com
        serial = 1462047
        refresh = 900
        retry = 900
        expire = 1800
        minimum = 60

jimp

I meant there may be some quirk in nslookup because last I knew it wasn't actively maintained the way dig/host were. They may "do the right thing" where nslookup may not. Does it work with host or dig?

johnpoz

no why should it?, a AAAA query is a AAAA query - why would dig or host do it different?

The problem with his example is AAAA records are only for queries from whitelisted resolvers for www.google.com from my understanding.

I would suggest you play with a more open domain..

So that it would work on my network, which I really have no use for - I could care if I access www.google.com via IPv6, if I wanted to I would just resolve ipv6.google.com

ping6 ipv6.google.com
PING6(56=40+8+8 bytes) 2001:470:snipped:b85::2 –> 2607:f8b0:4001:c01::63
16 bytes from 2607:f8b0:4001:c01::63, icmp_seq=0 hlim=57 time=44.368 ms
16 bytes from 2607:f8b0:4001:c01::63, icmp_seq=1 hlim=57 time=45.041 ms

So as you saw my local resolver which is not on the whitelist can not resolve AAAA for www.google.com but he dns can, so if I setup a specific forwarder for that domain in unbound then it works just fine.

[2.1-DEVELOPMENT][admin@pfsense.local.lan]/root(17): nslookup

set querytype=AAAA
www.google.com
Server:        127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
www.google.com  canonical name = www.l.google.com.
www.l.google.com        has AAAA address 2607:f8b0:4001:c01::93

I just setup
forward-zone:
name: "google.com"
forward-addr: 2001:470:20::2

in my unbound config

now if I do ping6 for www.google.com it works
ping6 www.google.com
PING6(56=40+8+8 bytes) 2001:470:snipped:b85::2 –> 2607:f8b0:4001:c01::93
16 bytes from 2607:f8b0:4001:c01::93, icmp_seq=0 hlim=57 time=45.424 ms
16 bytes from 2607:f8b0:4001:c01::93, icmp_seq=1 hlim=57 time=44.976 ms

if I remove that forwarder, doesn't work again

ping6 www.google.com
ping6: Non-recoverable failure in name resolution

nslookup

set querytype=AAAA
www.google.com
Server:        127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
www.google.com  canonical name = www.l.google.com.

Authoritative answers can be found from:
l.google.com
        origin = ns2.google.com
        mail addr = dns-admin.google.com
        serial = 1462050
        refresh = 900
        retry = 900
        expire = 1800
        minimum = 60

I would love to help the OP fix it whatever it is he is trying to fix, but Im a bit confused as what he wants exactly.  From my understanding you can not query www.google.com AAAA unless your on a whitelist like the he dns.  If that is what your using for your dns, then yeah www.google.com should return AAAA for you, if that is what you query for.

jimp

@johnpoz:

no why should it?, a AAAA query is a AAAA query - why would dig or host do it different?

I only mentioned that because I saw a difference in behavior there. When I used dig/host I got a AAAA reply. When I used nslookup I did not. Plus I've been hearing for years that nslookup is depreciated, and dig/host are preferred.

It may have been luck of the draw in which of my name servers got the query back first.

jimp

FYI-
http://cr.yp.to/djbdns/nslookup.html
http://homepages.tesco.net/J.deBoynePollard/FGA/nslookup-flaws.html
http://veggiechinese.net/nslookup_sucks.txt

johnpoz

ok not understanding what those flaws or bugs have to do with trying to do AAAA from a server that is not a on whitelist for such a query?

Also that first link about soa and com, not really valid

sure looks to be working for me

nslookup

server m.gtld-servers.net
Default server: m.gtld-servers.net
Address: 192.55.83.30#53
set querytype=soa
com.
Server:        m.gtld-servers.net
Address:        192.55.83.30#53

com
        origin = a.gtld-servers.net
        mail addr = nstld.verisign-grs.com
        serial = 1315847841
        refresh = 1800
        retry = 900
        expire = 604800
        minimum = 86400

Returns same as a dig

dig @m.gtld-servers.net com. soa +short
a.gtld-servers.net. nstld.verisign-grs.com. 1315848068 1800 900 604800 86400

all programs have their little quirks, but a query is a query is it not.  Are you saying that nslookup does not do a standard AAAA query?

if I direct any query to a server that is whitelisted or query AAAA for www.google.com then it works, be it nslookup or dig

So if I just do a dig for www.google.com it does not respond with AAAA even if directed at he dns

; <<>> DiG 9.6.2-P2 <<>> @2001:470:20::2 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38203
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.        86337  IN      CNAME  www.l.google.com.
www.l.google.com.      293    IN      A      74.125.225.82
www.l.google.com.      293    IN      A      74.125.225.81
www.l.google.com.      293    IN      A      74.125.225.80
www.l.google.com.      293    IN      A      74.125.225.84
www.l.google.com.      293    IN      A      74.125.225.83

;; Query time: 37 msec
;; SERVER: 2001:470:20::2#53(2001:470:20::2)
;; WHEN: Mon Sep 12 12:28:12 2011
;; MSG SIZE  rcvd: 132

But if I tell it any or AAAA then sure it does

; <<>> DiG 9.6.2-P2 <<>> @2001:470:20::2 www.google.com any
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52243
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.                        IN      ANY

;; ANSWER SECTION:
www.google.com.        84639  IN      CNAME  www.l.google.com.
www.l.google.com.      77      IN      AAAA    2607:f8b0:4001:c01::63
www.l.google.com.      114    IN      A      74.125.225.84
www.l.google.com.      114    IN      A      74.125.225.82
www.l.google.com.      114    IN      A      74.125.225.81
www.l.google.com.      114    IN      A      74.125.225.80
www.l.google.com.      114    IN      A      74.125.225.83

;; Query time: 45 msec
;; SERVER: 2001:470:20::2#53(2001:470:20::2)
;; WHEN: Mon Sep 12 12:29:19 2011
;; MSG SIZE  rcvd: 160

Same goes for nslookup

nslookup

server 2001:470:20::2
Default server: 2001:470:20::2
Address: 2001:470:20::2#53
set querytype=any
www.google.com
Server:        2001:470:20::2
Address:        2001:470:20::2#53

Non-authoritative answer:
www.google.com  canonical name = www.l.google.com.
Name:  www.l.google.com
Address: 74.125.225.83
Name:  www.l.google.com
Address: 74.125.225.80
Name:  www.l.google.com
Address: 74.125.225.81
Name:  www.l.google.com
Address: 74.125.225.82
www.l.google.com        has AAAA address 2607:f8b0:4001:c01::69
Name:  www.l.google.com
Address: 74.125.225.84

I think we might of gotten off on the wrong foot??  I am just trying to figure out exactly what he wants to do, and nslookup works just fine for doing a Any or AAAA query for www.google.com - as long as you query a server that is on the whitelist and can query for it and get a response.

That being said its not my tool of choice either, I like dig much better!  But a query is a query, any tool should send a standard query when asked to do so.  If it does not follow the standards of the protocol for doing a query, its not going to get many answers at all.

jimp

@johnpoz:

ok not understanding what those flaws or bugs have to do with trying to do AAAA from a server that is not a on whitelist for such a query?
[…]
I think we might of gotten off on the wrong foot??  I am just trying to figure out exactly what he wants to do, and nslookup works just fine for doing a Any or AAAA query for www.google.com - as long as you query a server that is on the whitelist and can query for it and get a response.

That being said its not my tool of choice either, I like dig much better!  But a query is a query, any tool should send a standard query when asked to do so.  If it does not follow the standards of the protocol for doing a query, its not going to get many answers at all.

I didn't say it had anything to do with that - I just observed differing behavior and knew nslookup to have flaws, and suggested another tool to better diagnose the issue.

jilingshu

hi,
I am running nslookup under Windows and I also tried "ping6", so I don't think this problem is caused by "nslookup". Only if I removed 8.8.8.8 from the DNS list it would never return me a AAAA record.
Without 8.8.8.8

C:\Users\Bear>ping -6 google.com

Pinging google.com [2001:4860:4001:803::1014] with 32 bytes of data:
Reply from 2001:4860:4001:803::1014: time=527ms
Reply from 2001:4860:4001:803::1014: time=525ms
Reply from 2001:4860:4001:803::1014: time=532ms
Reply from 2001:4860:4001:803::1014: time=552ms

Ping statistics for 2001:4860:4001:803::1014:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 525ms, Maximum = 552ms, Average = 534ms

C:\Users\Bear>

After added 8.8.8.8 to DNS list:

C:\Users\Bear>ping -6 google.com
Ping request could not find host google.com. Please check the name and try again
.

C:\Users\Bear>

I also ping all DNS servers and tried to get the latency:

C:\Users\Bear>ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=24ms TTL=51
Reply from 8.8.8.8: bytes=32 time=21ms TTL=51
Reply from 8.8.8.8: bytes=32 time=16ms TTL=51
Reply from 8.8.8.8: bytes=32 time=17ms TTL=51

Ping statistics for 8.8.8.8:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 16ms, Maximum = 24ms, Average = 19ms

C:\Users\Bear>ping 74.82.42.42

Pinging 74.82.42.42 with 32 bytes of data:
Request timed out.
Reply from 74.82.42.42: bytes=32 time=220ms TTL=53
Request timed out.
Request timed out.

Ping statistics for 74.82.42.42:
    Packets: Sent = 4, Received = 1, Lost = 3 (75% loss),
Approximate round trip times in milli-seconds:
    Minimum = 220ms, Maximum = 220ms, Average = 220ms

C:\Users\Bear>ping 74.82.42.42

Pinging 74.82.42.42 with 32 bytes of data:
Request timed out.
Reply from 74.82.42.42: bytes=32 time=229ms TTL=53
Request timed out.
Reply from 74.82.42.42: bytes=32 time=206ms TTL=53

Ping statistics for 74.82.42.42:
    Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
    Minimum = 206ms, Maximum = 229ms, Average = 217ms

C:\Users\Bear>ping 2001:470:20::2

Pinging 2001:470:20::2 with 32 bytes of data:
Reply from 2001:470:20::2: time=353ms
Reply from 2001:470:20::2: time=365ms
Reply from 2001:470:20::2: time=361ms
Reply from 2001:470:20::2: time=356ms

Ping statistics for 2001:470:20::2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 353ms, Maximum = 365ms, Average = 358ms

C:\Users\Bear>

As you can see, 8.8.8.8 is the fastest DNS server here. So I think pfSense would return 8.8.8.8 response to clients, and 8.8.8.8 would never return a AAAA record. There is still another problem: more than half of the ICMP packets sent to 74.82.42.42 are lost. I have no idea why this happened.

BTW: I am in China mainland and I believe the so called Great-Firewall-of-China would return some faked DNS responses to me to block me from resolving some domains such as twitter.com, facebook.com, youtube.com and so on. GFW would return me a faked DNS response with a random(maybe?) A record and this response arrived to my computer before the true response. But GFW took no action on IPv6, so only a DNS with a IPv6 address is trustworthy. So I wanna pfSense prefer IPv6 DNS than IPv4 DNS server.

johnpoz

8.8.8.8 is not on the whitelist to return AAAA for google.com, so no its not going to work if your using 8.8.8.8 as your recursive server, ie you ask it to resolve www.google.com for you.

simple enough to test.

;; QUESTION SECTION:
;www.l.google.com.              IN      AAAA

;; AUTHORITY SECTION:
l.google.com.          600    IN      SOA    ns3.google.com. dns-admin.google.com. 1462338 900 900 1800 60

;; Query time: 69 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)

Just leave the HE dns as your only forwarders and your fine.

as to why icmp is lost to a dns server, icmp is first thing dropped if busy.. Just because a server does not respond to icmp does not mean your having actual packet loss.  Also could be just response time for your location for he dns is exceeding the timeout, have you tried pinging with a larger timeout?

–- 74.82.42.42 ping statistics ---
31 packets transmitted, 31 received, 0% packet loss, time 30188ms
rtt min/avg/max/mdev = 10.448/14.427/45.133/7.284 ms

i am not showing any loss, but your response time is quite high.  Yes the he dns is anycasted, but where are they in the world? From the faq here are the currently locations from where google dns does its queries

http://code.google.com/speed/public-dns/faq.html#locations

If you want to only use dns via your ipv6 tunnel, then just use the he dns ipv6 address for your dns server 2001:470:20::2

If that is the only dns server you put in for your forwarder you should be golden, you can resolve google.com to its ipv6 and if you say the china firewall does not mess with traffic inside your ipv6 tunnel you should be able to resolve anything that way.

jilingshu

@johnpoz:

If you want to only use dns via your ipv6 tunnel, then just use the he dns ipv6 address for your dns server 2001:470:20::2

If that is the only dns server you put in for your forwarder you should be golden, you can resolve google.com to its ipv6 and if you say the china firewall does not mess with traffic inside your ipv6 tunnel you should be able to resolve anything that way.

hi,
Just leave IPv6 DNS server in the DNS list is impossible. For I am a dynamic IP user and I use HE.net tunnel broker to establish a IPv6 tunnel, I have to update my tunnel endpoint at first. Without a IPv4 DNS server, this is impossible to complete.  :(

johnpoz

How is that??  You create the tunnel with an IP!  dns has nothing to do with establishing the tunnel.

jimp

@johnpoz:

How is that??  You create the tunnel with an IP!  dns has nothing to do with establishing the tunnel.

If your IP changes you have to look up ipv4.tunnelbroker.net and push an update to their server that reconnects the IPv6 tunnel. Until your IPv6 tunnel comes back up you cannot reach an IPv6 DNS server. Chicken-and-egg problem.

Anyone tried using unbound and letting it talk to the roots? Does that work around this?

johnpoz

I use unbound to talk to roots, but it is not on the whitelist.

If your IP is changing that often, and you need to change your IP on ipv4.tunnelbroker.net – how about just putting in a HOST entry for that??

You sure an the hell do not need dns to resolve 1 host.  What now your going to say the ip for ipv4.tunnelbroker.net is changing? ;)

databeestje

the resolvers at work direct queries to the root servers and that won't work. Unless the server that talks to the root is on the whitelist it's a no-go.

I have a forwarder statement for bind at work so that it uses the HE server for facebook, google etc.