DNS Resolver - getting IPv6 results when there is no IPv6?

mmiller7

Not sure where this should go but I hope this is a good start.

I'm using DNS Resolver on pfSense and I am noticing recently a few things that may be related. Sometimes machines (randomly, most of them different times) on my network try and resolve something (e.g. FTP download link a from NASA website most recently today) it's given an IPv6 address to try and connect to. Trouble is, my ISP doesn't do IPv6 and so pfSense obviously can't route anything to IPv6 and stuff fails.

After a few tries, usually it will find an IPv4 address, find the server, connect, and everything is good.

So, anyone know why this happens? Is there a way to force it to ONLY return IPv4 (and drop IPv6 records) for DNS lookups using DNS Resolver?

For upstream DNS servers in pfSense, I'm using 1.1.1.1, 1.0.0.1, 8.8.8.8, and 8.8.4.4. I have noticed (and wrote a script to monitor) 1.1.1.1/1.0.0.1 has been unstable recently (unresponsive for a few minutes here and there) and I don't know if this may be related to my problems or not. I am also speculating (but have no idea how to prove) my ISP may be having peering issues the last week or so due to some odd bandwidth issues with certain servers.

mmiller7

Bump?

JKnott

@mmiller7

First off, it makes no difference if you use IPv4 or IPv6 to access a DNS server. Both will return the same info. Fire up Packet Capture to capture DNS requests. If you see both A and AAAA requests going out, then it indicates you have IPv6 enabled somewhere, beyond just link local. Likewise, devices on the LAN shouldn't be asking for AAAA records, unless they think IPv6 is available.

Gertjan

Hi,

pfSense uses FreeBSD. Your PC probably Windows or MAC OS.
All these devices prefer IPv6 - and if that's isn't available, they fall back to IPv4.
A worst case scenario is what you see happening now : this switching over takes some time.

Why are your devices asking for an AAAA record (the IPv6 result that comes back when that devices asks to resolve forum.netgate.com) ?
You'll be surprised : because, default, they prefer IPv6 above IPv4.
So, you as the admin : you can stop that, for every device, and problem solved.
How to shut down Ipv6 on your Windows PC ? That's one of the most asked questions on the Internet, so, you'll find as many - identical - answers :

login-to-view
.
Remove that check before "IPv6 protocol", hit Ok and it's game over for IPv6 on that device.
Repat these steps on every device, and your LAN(s) will be IPv6 free. No device will ask for an AAAA record any-more, it will be 'A' only (meaning : only IPv4).

You could also remove this check in pfSense :

login-to-view

I never tested that option myself - but it might work ....

JKnott

@Gertjan said in DNS Resolver - getting IPv6 results when there is no IPv6?:

I never tested that option myself - but it might work ....

Will a device even request an AAAA record, if it doesn't have a valid IPv6 address, other than link local? When I've examined DNS with Wireshark or Packet Capture, I see separate A and AAAA requests. However, my network is fully IPv6 capable. I'd have to set up a test network to see what happens when only IPv4 is available.

Gertjan

@JKnott said in DNS Resolver - getting IPv6 results when there is no IPv6?:

I'd have to set up a test network to see what happens when only IPv4 is available.

That's what I was planning to do this evening @home ( fed up with Netflix, Youtube and classic TV channels right now )

JKnott

@Gertjan

I just tried a test network. Connected a D-Link WRT54GL to my 2nd cable modem port and an old notebook computer to it. I only see A requests going out. I also tried pinging ipv6.google.com, which does not have an IPv4 address and got back an unknown host message.

I've been at home almost all the time, over the past couple of weeks, going out only to walk my dog or buy groceries. So, I have a lot of time to try things.

johnpoz

Devices, Oses, Applications sure can ask for AAAA even when the device has no IPv6 address..

Example

login-to-view

My main pc there i5-win.local.lan has no active IPv6 address, my nas.local.lan sure and the hell does not..

But you can see queries from them for AAAA

While there are some devices on the network that do have IPv6.. They sure wouldn't make up for 7% of all queries ;)

login-to-view

I agree its pretty freaking pointless to query for AAAA if you don't have a IPv6 address you could use to talk to it, but yeah you will see them.

JKnott

@johnpoz said in DNS Resolver - getting IPv6 results when there is no IPv6?:

Devices, Oses, Applications sure can ask for AAAA even when the device has no IPv6 address..

Well, I just used Wireshark on a computer running Linux. I pinged google.com, yahoo.com and ipv6.google.com. I didn't see any AAAA requests, only A. When I tried an IPv6 only host name, I got an unknown host message. What happens if you set up an IPv4 only network and watch with Wireshark? Also, do apps actually request IPv4 & IPv6 addresses? Or do they just request an address and use whatever comes back? I know the OS can be configured to prefer one or the other.

johnpoz

Here look...

$ ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : i5-win
   Primary Dns Suffix  . . . . . . . : local.lan
   Node Type . . . . . . . . . . . . : Broadcast
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : local.lan

Ethernet adapter Local:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek PCIe GbE Family Controller
   Physical Address. . . . . . . . . : 00-13-3B-2F-67-62
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.9.100(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.9.253
   DNS Servers . . . . . . . . . . . : 192.168.3.10
   NetBIOS over Tcpip. . . . . . . . : Enabled

No IPv6.... But when set debug on nslookup you see it asking for AAAA when all I asked for was www.google.com

login-to-view

Again - it will depend on the OS, the application, etc.. But yes is quite normal to see queries for AAAA even when your not running IPv6

I would assume linux is far better at not doing this then a windows or windows applications ;)

Here for example off one of linux boxes.

user@ombi:~$ ifconfig
ens3      Link encap:Ethernet  HWaddr 02:11:32:28:77:34  
          inet addr:192.168.2.22  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::11:32ff:fe28:7734/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1020393 errors:0 dropped:2 overruns:0 frame:0
          TX packets:463097 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1332305940 (1.3 GB)  TX bytes:106337407 (106.3 MB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:1972 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1972 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:187779 (187.7 KB)  TX bytes:187779 (187.7 KB)

user@ombi:~$ nslookup
> set debug
> www.google.com
Server:         127.0.0.1
Address:        127.0.0.1#53

------------
    QUESTIONS:
        www.google.com, type = A, class = IN
    ANSWERS:
    ->  www.google.com
        internet address = 172.217.4.196
        ttl = 2396
    AUTHORITY RECORDS:
    ADDITIONAL RECORDS:
------------
Non-authoritative answer:
Name:   www.google.com
Address: 172.217.4.196
> 

no query for AAAA

JKnott

@johnpoz said in DNS Resolver - getting IPv6 results when there is no IPv6?:

Again - it will depend on the OS, the application, etc.. But yes is quite normal to see queries for AAAA even when your not running IPv6

Did it return an AAAA record?

johnpoz

No it wouldn't because one wasn't asked for ;) You can see in the debug exactly what was asked for.

JKnott

@johnpoz

I just tried using the Linux "host" command for ipv6.google.com. It showed the IPv6 address, just as your nslookup example did. Regarless, that does not represent an attempt to get an AAAA record by an OS, when on an IPv4 only network.

johnpoz

what??? I have no idea what your going on about... You can see in my windows nslookup that I have no IPv6 address at all, doesn't even show link local and still queries for AAAA, even though I did not call out in nslookup A or AAAA - it on its own asked for A and then AAAA

linux even having link local, does not query for the AAAA record.

Lets state this again.. It would be up to the OS, or the application if it asks for AAAA or not.. That may or may not happen depending on your OS and or your applications..

But just because your IPv4 only network - that doesn't mean that AAAA might not be queried for.. So seeing AAAA queries is quite normal even in a IPv4 only network..

Its just another record, like TXT or CNAME or PTR or SRV, etc. It really has little to do with the actual protocol.. Other than that has been the RR designed to handle IPv6 addresses for dns. Like A records.

Here for example - my NAS is static, has no IPv6 configured.. I do not run any sort of slaac dhcpv6 on this network.. It does not have IPv6 configured... And yet all on its own going about its business it queries for AAAA

login-to-view

It is set ti IPv6 OFF

login-to-view

And yeah just on its own, no client doing anything, etc.. Its normal operation - it queries its configured IPV4 dns for AAAA..

JKnott

@johnpoz said in DNS Resolver - getting IPv6 results when there is no IPv6?:

what??? I have no idea what your going on about...

You used nslookup, I used host. Same function. Both are used to obtain IP addresses for information purposes, not for actually accessing a site. On the other hand, the OS will request A or A & AAAA records, according to what the computer can handle.

Bottom line, if a computer has an IPv6 address, beyond link local, it will ask for AAAA records, otherwise not. You can try as I did with a test network and Wireshark or Packet Capture to verify.

johnpoz

if a computer has an IPv6 address, beyond link local, it will ask for AAAA records, otherwise not.

No this not true... You have no freaking idea what the application might do... I have shown you direct examples of a box with ZERO ipv6 address - and it still asking for AAAA... Its just a freaking record, how the application is written determines what is might ask for. You could also write your application to ONLY query A, even if the box only had IPv6... AAAA is just a record..

Yup applications and OSes can do different things..

I don't understand why your so confused about this.. The DNS resolver has no control what its get asked... If its asked for AAAA then it will return those.. If they exist if not, then it will return SOA, etc.

If the client asks for AAAA and there no AAAA record, then it will return the SOA, etc. etc..

;; QUESTION SECTION:
;www.reddit.com.                        IN      AAAA

;; ANSWER SECTION:
www.reddit.com.         3600    IN      CNAME   reddit.map.fastly.net.

;; AUTHORITY SECTION:
fastly.net.             460     IN      SOA     ns1.fastly.net. hostmaster.fastly.com. 2017052201 3600 600 604800 30

If the OP got back AAAA for something - HE ASKED FOR IT!! Be it he was aware of it or not...

Now many servers are starting to REFUSE the any query... But if you query a NS for ANY, you will get back all records for that host.. .So if it has A and AAAA you would get back both, etc. etc..

JKnott

@johnpoz said in DNS Resolver - getting IPv6 results when there is no IPv6?:

No this not true... You have no freaking idea what the application might do... I have shown you direct examples of a box with ZERO ipv6 address - and it still asking for AAAA... Its just a freaking record, how the application is written determines what is might ask for. You could also write your application to ONLY query A, even if the box only had IPv6... AAAA is just a record..

Do applications specifically ask for IPv4 or IPv6 addresses? Or do they just ask for an address? Nslookup and host are applications that are used to look up the addresses for a site and so would request both. On the other hand an app connecting to a site just needs a working address.

Here are nslookup and host used to find addresses.

nslookup google.com
Server: xxxxxx.yyyy.net
Address: fd48:1a37:2160:0:216:17ff:fea7:f2d3

Non-authoritative answer:
Name: google.com
Addresses: 2607:f8b0:400b:801::200e
172.217.165.14

host google.com
google.com has address 172.217.165.14
google.com has IPv6 address 2607:f8b0:400b:801::200e
google.com mail is handled by 10 aspmx.l.google.com.
google.com mail is handled by 30 alt2.aspmx.l.google.com.
google.com mail is handled by 50 alt4.aspmx.l.google.com.
google.com mail is handled by 40 alt3.aspmx.l.google.com.
google.com mail is handled by 20 alt1.aspmx.l.google.com.

As mentioned, the app's purpose is to list addresses.

Now, if you open a browser, it just needs an address, either IPv4 or IPv6. Does it actually request both? I could be wrong, but I don't think so.

Also, it makes no difference if the DNS servers are reached with an IPv4 or IPv6 address, as both return the same info.

JKnott

@johnpoz

Incidentally, both C and Python have a gethostbyname() function. I don't see any mention of choosing IPv4 or IPv6.

mmiller7

@Gertjan Some of the devices (like my work-issued laptop) I can't change any settings because I'm not an administrator. Others aren't my computers (roomates, friends when we aren't in lockdown for a pandemic, smartphones that have IPv6 when they are on 4G) and probably shouldn't be changed.

I've already tried the block-IPv6 checkbox (I've had an ISP before with broken IPv6 implementation and had to use that before we moved) didn't seem to make a difference so I put it back to allowed.

My Linux Mint box (main machine) I have a "Scope:Link" IPv6 address when I look at ifconfig but no global IPv6 address...and the router has no IPv6 address for the WAN.

I'll try and find the right filters to capture only DNS traffic in Wireshark and see if I can make any sense of what apps are requesting (if I can reproduce it...)

EDIT: That was quicker than I expected...yeah seems command line 'ftp' is asking for AAAA records. I don't understand why though, or what to do about it yet..
login-to-view

I do notice, this time it listed both IPs on the command line...I think when I have trouble it only lists the IPv6. So maybe that's something with when my upstream DNS hickups on one of the queries somehow?

Resolving cddis.nasa.gov (cddis.nasa.gov)... 198.118.242.40, 2001:4d0:241a:442::52
Connecting to cddis.nasa.gov (cddis.nasa.gov)|198.118.242.40|:21... connected.
Logging in as anonymous ... Logged in!

EDIT2:
And while I didn't happen to have wireshark up at the try when it reproduced the error, sure enough I got a different result on the temrinal...

Resolving cddis.nasa.gov (cddis.nasa.gov)... 2001:4d0:241a:442::52
Connecting to cddis.nasa.gov (cddis.nasa.gov)|2001:4d0:241a:442::52|:21... 
failed: Connection timed out.

JKnott

@mmiller7 said in DNS Resolver - getting IPv6 results when there is no IPv6?:

And while I didn't happen to have wireshark up

You can always use Packet Capture and download the capture so you can read it with Wireshark.