Need to filter/disable IPv6 results for DNS responses
-
I'm running pfSense 2.3.2-RELEASE-p1 (amd64) with "DNS Resolver" for my DNS lookups.
My problem is my ISP (Cox Communications) seems to have very unstable IPv6. I originally got pfSense partly because I thought it was the crappy implementation of IPv6 in my Linksys router causing severe problems (on that I finally shut IPv6 off completely) but now I think based on the "Monitoring" graphs it is actually my ISP. I have regular packet loss for IPv6 (IPv4 seems fine) and the result is at random my browsing will lag horribly (last night it took multiple minutes to reach Google.com homepage). I've traced it to something with IPv6, at the time I had 100% packet loss pinging Google's IPv6 address but 0% loss pinging Google's IPv4 address - manually typing the IPv4 for google.com in my address bar made it load instantly. For other applications (e.g. SSH) it doesn't fail back to IPv4 so I simply can't reach things by name until the IPv6 connectivity returns (which it does, on its own). I would prefer not to totally disable IPv6 so I can continue to monitor it but I'd like to stop DNS AAAA records from being returned so by default my network devices will be forced to use IPv4 to access things.
Calling the ISP is futile because by the time I get done sitting on hold the problem is gone and I doubt the person I'd get understands enough about IPv6 to figure out my problem anyway.
I've attempted to attach screenshots from the pfSense monitoring graphs for the IPv4 and IPv6 WAN interface stats last night when I was having all my issues. This morning it's magically fixed (for now).
I'm open to suggestions…because since I'm the bleeding-edge IT person in my house I'm the one that gets fussed at when things run slowly.
-
Shrug; you can try the BIND package and filter-aaaa-on-v4. (Or use HE tunnel instead of the crappy ISP.)
-
Hmm, I'll have to read about that.
Does BIND take the place of the DNS Resolver (as a 3rd option instead of just DNS Forwarder service)? Or is it used in addition to DNS Resolver?
-
If your isp ipv6 is not ready, why are you using ipv6 then? Its a quite easy to just disable it both at the router level and at the client level. Just say ipv6 none for the wan and for your lan interfaces.. There you go no ipv6.
Or just go with HE.. I run HE because comcast ipv6 also needs a few years ;) Plus its much easier to setup and maintain - get yourself a nice /48 and use whatever /64 out of that you want.
Yes if you want to use bind AAAA filter then you would be using bind and not unbound or dnsmasq..
-
I assumeed if my ISP wasn't ready they wouldn't be pushing me IPv6 addresses? One day all of a sudden I just started magically having IPv6 global addresses on all my things (which was a bit of a shock).
I'm on Cox Cable and it's odd, once in a while it seems faster with IPv6 other times it just fails miserably.
Still don't see any benefit to IPv6…I get that we "ran out" of IPv4 addresses but I'm not seeing anything that doesn't work with my remaining IPv4 things that does work on IPv6 nor vice-versa. IPv6 just seems less stable.
-
I assumeed if my ISP wasn't ready they wouldn't be pushing me IPv6 addresses? One day all of a sudden I just started magically having IPv6 global addresses on all my things (which was a bit of a shock).
I'm on Cox Cable and it's odd, once in a while it seems faster with IPv6 other times it just fails miserably.
Still don't see any benefit to IPv6…I get that we "ran out" of IPv4 addresses but I'm not seeing anything that doesn't work with my remaining IPv4 things that does work on IPv6 nor vice-versa. IPv6 just seems less stable.
There's nothing "less stable" about IPv6, only clueless ISPs who are not up to date of what IPv6 is and how it should be deployed.
-
Still don't see any benefit to IPv6…I get that we "ran out" of IPv4 addresses but I'm not seeing anything that doesn't work with my remaining IPv4 things that does work on IPv6 nor vice-versa.
Well, how 'bout access to devices behind your firewall without messing with port forwarding? That means you can have multiple devices open on the same port number. NAT also breaks a few things. There is a long list of reasons why IPv6 is superior to IPv4.
Incidentally, I'm currently reading the book "Network Nerds", by Brian Carpenter, one of the people with early involvement in setting up the TCP/IP & Internet. I just finished reading the part about how they settled on IPv6. Even back in the early '90s they realized 32 bit addresses were not adequate.
-
Well it doesn't make it any more accessible for me…I only know one other person with IPv6 so all it did for me was undermine my security when suddenly lots of machines were potentially accessible that were configured with security expecting LAN-only access (e.g. with no password because it's behind the router and should be accessible to anyone I let on my network).
The only other IPv6 I have access to is my smartphone and that doesn't help because I don't access anything from it. And I can't access my smartphone from my house because VZW blocks all inbound IPv6 (when asked they said inbound is only possible on static-business IPv4).
I'm getting all the security issues from IPv6 (which is why I want to be able to play with it to learn and harden stuff better) but none of the "benefits" of using it.
But alas I don't want to start an IP-flamewar here...I do thank everyone for your help. I probably won't have time for a couple days to "sit down and try" on configuring BIND but I'm going to look seriously into that when I have some free time.
-
I don't think talking about the advantages and disadvantages of ipv4 over ipv6 would start any sort of flamewar ;)
There are plenty advantages to moving to IPv6 - but I concur there really is little reason that pushes users to it. As you mention, other than maybe some dark web or p0rn sites I know of no resources on the internet that you can only access if you have IPv6. This for sure takes pressure of your normal users from demanding stable reliable ipv6 from their ISPs.
If your goal is to learn and play and understand the differences with IPv6 over IPv4 - I would again suggest going the HE tunnel route. This takes all the possible headaches of fubar isp ipv6 deployment out of the equation and gives you more control.
I have limited devices on my network that use ipv6, so I can play/test when I want - but don't use it for day to day operations. I do host up some stuff via ipv6, ie my ntp server that is in the pool has both ipv4 and ipv6. My vps are all available on ipv6, and a test domain I play with is dual with ipv4 and ipv6. I run my own vps ns for this play domain that is signed dnssec, etc.
I listen on ipv6 for my my openvpn connection, but this was only recently when t-mobile went IPv6 on their data connection and my phone no longer gets an IPv4 address. This had broken my vpn into my home network unless I was coming from a wifi network with IPv4.
-
I listen on ipv6 for my my openvpn connection, but this was only recently when t-mobile went IPv6 on their data connection and my phone no longer gets an IPv4 address. This had broken my vpn into my home network unless I was coming from a wifi network with IPv4.
Actually that makes me wonder now…if the DDNS service can update an IPv6 address for the WAN. I don't know if it will change or not but I do know I don't want to have to remember it.
Verizon does IPv6 on 4G but they also have NAT'd IPv4. Unfortunately neither allows inbound connections...though I'm yet to have connectivity issues on Verizon Wireless (well except in a couple buildings that have no signal but that's unrelated).
-
Why do you need a ddns service - if you have a HE tunnel, the IPv6 address would be static..
But sure HE also provides for ddns ipv6 free.. Sure there are others that do as well. I also run my own personal domain that I use for my address space, my IPv4 public as well as any IPv6 I want to put a name on.
Not sure how the rest of the planets ISPs work - but I have had the same public IP which is given to my by dhcp and is dynamic for years.. Why would I loose my lease?? I don't turn off pfsense.. It renews the lease.. Until such time that I did not renew my lease and they ran through all the other leases and your isp handed that to someone else - you should always get the same IP.. So unless your turning off your wan device for long periods of time that exceeds your lease time… You normally would keep your wan IP..
I assume there are ISP that change what they give to users.. I really don't see the point to that.. I think in all the time I have had comcast the only time the IP has changed is when I changed the mac of the device connected, or I do think they did some maint at some point and changed their IPs in the region I am in. And got a different IP. I currently have a self managed mac currently connected to my modem. So I can flip to whatever device I want connected to that modem and as long as I use that same mac - I get the same public IP.
-
Why do you need a ddns service - if you have a HE tunnel, the IPv6 address would be static..
But sure HE also provides for ddns ipv6 free.. Sure there are others that do as well. I also run my own personal domain that I use for my address space, my IPv4 public as well as any IPv6 I want to put a name on.
I use Namecheap myself, I switched at the suggestion of a friend when DynDns dropped their free tier.
Not sure how the rest of the planets ISPs work - but I have had the same public IP which is given to my by dhcp and is dynamic for years.. Why would I loose my lease?? I don't turn off pfsense.. It renews the lease.. Until such time that I did not renew my lease and they ran through all the other leases and your isp handed that to someone else - you should always get the same IP.. So unless your turning off your wan device for long periods of time that exceeds your lease time… You normally would keep your wan IP..
I assume there are ISP that change what they give to users.. I really don't see the point to that.. I think in all the time I have had comcast the only time the IP has changed is when I changed the mac of the device connected, or I do think they did some maint at some point and changed their IPs in the region I am in. And got a different IP. I currently have a self managed mac currently connected to my modem. So I can flip to whatever device I want connected to that modem and as long as I use that same mac - I get the same public IP.
For the most part my IPv4 address stays the same but I do know it changes from time to time. Once in a while they "upgrade" stuff and push "something" that makes the modem reboot and change it's address. Also if I change what it's connected to (different network card, motherboard swap, etc) it picks up a new IPv4 address. Or if it's turned off for 24 consecutive hours (had this one time when a wire in the wall arced and burnt thru cutting power to half the room and my UPS ran out before Maintenance came out). another time some technician incorrectly disconnected our line for a weekend and the IP changed when I finally got them to hook it back up.
I was assuming if the DHCP IPv4 changes from time to time the IPv6 Cox "pushes" me might change from time to time as well.
-
@mmiller7 The following Unbound/DNS Resolver Custom options to remove all local and external domain AAAA responses in replies given to clients should be what you're looking for:
server: do-ip4: yes do-ip6: no prefer-ip4: yes prefer-ip6: no private-address: 10.0.0.0/8 private-address: 172.16.0.0/12 private-address: 192.168.0.0/16 private-address: 169.254.0.0/16 private-address: ::ffff:0:0/96 private-address: fd00::/8 private-address: fe80::/10 private-address: ::/0 private-address: :: local-zone: localhost.home.arpa transparent local-data: "localhost.home.arpa A 127.0.0.1" local-zone: localhost transparent local-data: "localhost A 127.0.0.1" local-zone: ip6.arpa redirect local-data: "ip6.arpa A 0.0.0.0" local-zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa redirect local-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa A 0.0.0.0" local-zone: "::/0" static dns64-ignore-aaaa: *.* do-not-query-address: :: do-not-query-address: ::1 do-not-query-address: ::/0
