Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Need to filter/disable IPv6 results for DNS responses

    Scheduled Pinned Locked Moved DHCP and DNS
    13 Posts 6 Posters 6.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mmiller7
      last edited by

      I'm running pfSense 2.3.2-RELEASE-p1 (amd64) with "DNS Resolver" for my DNS lookups.

      My problem is my ISP (Cox Communications) seems to have very unstable IPv6.  I originally got pfSense partly because I thought it was the crappy implementation of IPv6 in my Linksys router causing severe problems (on that I finally shut IPv6 off completely) but now I think based on the "Monitoring" graphs it is actually my ISP.  I have regular packet loss for IPv6 (IPv4 seems fine) and the result is at random my browsing will lag horribly (last night it took multiple minutes to reach Google.com homepage).  I've traced it to something with IPv6, at the time I had 100% packet loss pinging Google's IPv6 address but 0% loss pinging Google's IPv4 address - manually typing the IPv4 for google.com in my address bar made it load instantly.  For other applications (e.g. SSH) it doesn't fail back to IPv4 so I simply can't reach things by name until the IPv6 connectivity returns (which it does, on its own).  I would prefer not to totally disable IPv6 so I can continue to monitor it but I'd like to stop DNS AAAA records from being returned so by default my network devices will be forced to use IPv4 to access things.

      Calling the ISP is futile because by the time I get done sitting on hold the problem is gone and I doubt the person I'd get understands enough about IPv6 to figure out my problem anyway.

      I've attempted to attach screenshots from the pfSense monitoring graphs for the IPv4 and IPv6 WAN interface stats last night when I was having all my issues.  This morning it's magically fixed (for now).

      I'm open to suggestions…because since I'm the bleeding-edge IT person in my house I'm the one that gets fussed at when things run slowly.
      photo_2017-02-12_09-30-10.jpg
      photo_2017-02-12_09-30-10.jpg_thumb
      photo_2017-02-12_09-30-17.jpg
      photo_2017-02-12_09-30-17.jpg_thumb

      S 1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        Shrug; you can try the BIND package and filter-aaaa-on-v4. (Or use HE tunnel instead of the crappy ISP.)

        1 Reply Last reply Reply Quote 0
        • M
          mmiller7
          last edited by

          Hmm, I'll have to read about that.

          Does BIND take the place of the DNS Resolver (as a 3rd option instead of just DNS Forwarder service)?  Or is it used in addition to DNS Resolver?

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            If your isp ipv6 is not ready, why are you using ipv6 then?  Its a quite easy to just disable it both at the router level and at the client level.  Just say ipv6 none for the wan and for your lan interfaces.. There you go no ipv6.

            Or just go with HE.. I run HE because comcast ipv6 also needs a few years ;)  Plus its much easier to setup and maintain - get yourself a nice /48 and use whatever /64 out of that you want.

            Yes if you want to use bind AAAA filter then you would be using bind and not unbound or dnsmasq..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • M
              mmiller7
              last edited by

              I assumeed if my ISP wasn't ready they wouldn't be pushing me IPv6 addresses?  One day all of a sudden I just started magically having IPv6 global addresses on all my things (which was a bit of a shock).

              I'm on Cox Cable and it's odd, once in a while it seems faster with IPv6 other times it just fails miserably.

              Still don't see any benefit to IPv6…I get that we "ran out" of IPv4 addresses but I'm not seeing anything that doesn't work with my remaining IPv4 things that does work on IPv6 nor vice-versa.  IPv6 just seems less stable.

              1 Reply Last reply Reply Quote 0
              • K
                kpa
                last edited by

                @mmiller7:

                I assumeed if my ISP wasn't ready they wouldn't be pushing me IPv6 addresses?  One day all of a sudden I just started magically having IPv6 global addresses on all my things (which was a bit of a shock).

                I'm on Cox Cable and it's odd, once in a while it seems faster with IPv6 other times it just fails miserably.

                Still don't see any benefit to IPv6…I get that we "ran out" of IPv4 addresses but I'm not seeing anything that doesn't work with my remaining IPv4 things that does work on IPv6 nor vice-versa.  IPv6 just seems less stable.

                There's nothing "less stable" about IPv6, only clueless ISPs who are not up to date of what IPv6 is and how it should be deployed.

                1 Reply Last reply Reply Quote 0
                • JKnottJ
                  JKnott
                  last edited by

                  Still don't see any benefit to IPv6…I get that we "ran out" of IPv4 addresses but I'm not seeing anything that doesn't work with my remaining IPv4 things that does work on IPv6 nor vice-versa.

                  Well, how 'bout access to devices behind your firewall without messing with port forwarding?  That means you can have multiple devices open on the same port number.  NAT also breaks a few things.  There is a long list of reasons why IPv6 is superior to IPv4.

                  Incidentally, I'm currently reading the book "Network Nerds", by Brian Carpenter, one of the people with early involvement in setting up the TCP/IP & Internet.  I just finished reading the part about how they settled on IPv6.  Even back in the early '90s they realized 32 bit addresses were not adequate.

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  1 Reply Last reply Reply Quote 0
                  • M
                    mmiller7
                    last edited by

                    Well it doesn't make it any more accessible for me…I only know one other person with IPv6 so all it did for me was undermine my security when suddenly lots of machines were potentially accessible that were configured with security expecting LAN-only access (e.g. with no password because it's behind the router and should be accessible to anyone I let on my network).

                    The only other IPv6 I have access to is my smartphone and that doesn't help because I don't access anything from it.  And I can't access my smartphone from my house because VZW blocks all inbound IPv6 (when asked they said inbound is only possible on static-business IPv4).

                    I'm getting all the security issues from IPv6 (which is why I want to be able to play with it to learn and harden stuff better) but none of the "benefits" of using it.

                    But alas I don't want to start an IP-flamewar here...I do thank everyone for your help.  I probably won't have time for a couple days to "sit down and try" on configuring BIND but I'm going to look seriously into that when I have some free time.

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      I don't think talking about the advantages and disadvantages of ipv4 over ipv6 would start any sort of flamewar ;)

                      There are plenty advantages to moving to IPv6 - but I concur there really is little reason that pushes users to it.  As you mention, other than maybe some dark web or p0rn sites I know of no resources on the internet that you can only access if you have IPv6.  This for sure takes pressure of your normal users from demanding stable reliable ipv6 from their ISPs.

                      If your goal is to learn and play and understand the differences with IPv6 over IPv4 - I would again suggest going the HE tunnel route.  This takes all the possible headaches of fubar isp ipv6 deployment out of the equation and gives you more control.

                      I have limited devices on my network that use ipv6, so I can play/test when I want - but don't use it for day to day operations.  I do host up some stuff via ipv6, ie my ntp server that is in the pool has both ipv4 and ipv6.  My vps are all available on ipv6, and a test domain I play with is dual with ipv4 and ipv6.  I run my own vps ns for this play domain that is signed dnssec, etc.

                      I listen on ipv6 for my my openvpn connection, but this was only recently when t-mobile went IPv6 on their data connection and my phone no longer gets an IPv4 address.  This had broken my vpn into my home network unless I was coming from a wifi network with IPv4.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • M
                        mmiller7
                        last edited by

                        @johnpoz:

                        I listen on ipv6 for my my openvpn connection, but this was only recently when t-mobile went IPv6 on their data connection and my phone no longer gets an IPv4 address.  This had broken my vpn into my home network unless I was coming from a wifi network with IPv4.

                        Actually that makes me wonder now…if the DDNS service can update an IPv6 address for the WAN.  I don't know if it will change or not but I do know I don't want to have to remember it.

                        Verizon does IPv6 on 4G but they also have NAT'd IPv4.  Unfortunately neither allows inbound connections...though I'm yet to have connectivity issues on Verizon Wireless (well except in a couple buildings that have no signal but that's unrelated).

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          Why do you need a ddns service - if you have a HE tunnel, the IPv6 address would be static..

                          But sure HE also provides for ddns ipv6 free.. Sure there are others that do as well.  I also run my own personal domain that I use for my address space, my IPv4 public as well as any IPv6 I want to put a name on.

                          Not sure how the rest of the planets ISPs work - but I have had the same public IP which is given to my by dhcp and is dynamic for years.. Why would I loose my lease??  I don't turn off pfsense.. It renews the lease.. Until such time that I did not renew my lease and they ran through all the other leases and your isp handed that to someone else - you should always get the same IP..  So unless your turning off your wan device for long periods of time that exceeds your lease time… You normally would keep your wan IP..

                          I assume there are ISP that change what they give to users.. I really don't see the point to that.. I think in all the time I have had comcast the only time the IP has changed is when I changed the mac of the device connected, or I do think they did some maint at some point and changed their IPs in the region I am in. And got a different IP.  I currently have a self managed mac currently connected to my modem.  So I can flip to whatever device I want connected to that modem and as long as I use that same mac - I get the same public IP.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • M
                            mmiller7
                            last edited by

                            @johnpoz:

                            Why do you need a ddns service - if you have a HE tunnel, the IPv6 address would be static..

                            But sure HE also provides for ddns ipv6 free.. Sure there are others that do as well.  I also run my own personal domain that I use for my address space, my IPv4 public as well as any IPv6 I want to put a name on.

                            I use Namecheap myself, I switched at the suggestion of a friend when DynDns dropped their free tier.

                            Not sure how the rest of the planets ISPs work - but I have had the same public IP which is given to my by dhcp and is dynamic for years.. Why would I loose my lease??  I don't turn off pfsense.. It renews the lease.. Until such time that I did not renew my lease and they ran through all the other leases and your isp handed that to someone else - you should always get the same IP..  So unless your turning off your wan device for long periods of time that exceeds your lease time… You normally would keep your wan IP..

                            I assume there are ISP that change what they give to users.. I really don't see the point to that.. I think in all the time I have had comcast the only time the IP has changed is when I changed the mac of the device connected, or I do think they did some maint at some point and changed their IPs in the region I am in. And got a different IP.  I currently have a self managed mac currently connected to my modem.  So I can flip to whatever device I want connected to that modem and as long as I use that same mac - I get the same public IP.

                            For the most part my IPv4 address stays the same but I do know it changes from time to time.  Once in a while they "upgrade" stuff and push "something" that makes the modem reboot and change it's address.  Also if I change what it's connected to (different network card, motherboard swap, etc) it picks up a new IPv4 address.  Or if it's turned off for 24 consecutive hours (had this one time when a wire in the wall arced and burnt thru cutting power to half the room and my UPS ran out before Maintenance came out). another time some technician incorrectly disconnected our line for a weekend and the IP changed when I finally got them to hook it back up.

                            I was assuming if the DHCP IPv4 changes from time to time the IPv6 Cox "pushes" me might change from time to time as well.

                            1 Reply Last reply Reply Quote 0
                            • S
                              smolka_J @mmiller7
                              last edited by

                              @mmiller7 The following Unbound/DNS Resolver Custom options to remove all local and external domain AAAA responses in replies given to clients should be what you're looking for:

                              server:
                              do-ip4: yes
                              do-ip6: no
                              prefer-ip4: yes
                              prefer-ip6: no
                              private-address: 10.0.0.0/8
                              private-address: 172.16.0.0/12
                              private-address: 192.168.0.0/16
                              private-address: 169.254.0.0/16
                              private-address: ::ffff:0:0/96
                              private-address: fd00::/8
                              private-address: fe80::/10
                              private-address: ::/0
                              private-address: ::
                              local-zone: localhost.home.arpa transparent
                              local-data: "localhost.home.arpa A 127.0.0.1"
                              local-zone: localhost transparent
                              local-data: "localhost A 127.0.0.1"
                              local-zone: ip6.arpa redirect
                              local-data: "ip6.arpa A 0.0.0.0"
                              local-zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa redirect
                              local-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa A 0.0.0.0"
                              local-zone: "::/0" static
                              dns64-ignore-aaaa: *.*
                              do-not-query-address: ::
                              do-not-query-address: ::1
                              do-not-query-address: ::/0
                              
                              1 Reply Last reply Reply Quote 1
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.