ISP only hands out IPv4 Issue
-
Hello fellow Netgate Community,
Can you please help?
(What I would like to do)again. . . DNS will hand out AAAA IPv6 over IPv4, thing is ISP does not have IPv6 for me....
I am having an issue where I get handed a IPv6 address randomly by way of the pfsense DNS resolver. I have IPv6 set to disabled. I am aware of the tunnel hurricane service, I do not want to use that, I will wait until Consolidated hands me a IPv6 address. Again with my firewall set to block IPv6 and Squid proxy set to serve IPv4 and my options set to not save IPv6 addresses in the DNS, why does Chrome keep trying to resolve the URL to a IPv6 intermittently? I also have DoH disabled and blocked. What would cause this, has anyone seen this? My ISP does not have IPv6 I have even called them for confirmation. Why does this occur, as soon as I log into pfsense and use the DNS lookup it fixes it. What is causing the IPv6 to be handed out or resolved?
DoH blocked personal
Doh Blacklist provided
-
Example of occurrence
I log into pfsense and DNS look up the address and it resolves after correctly with IPv4With all the settings it still attempts IPv6 intermittently. Squid proxy when package starts states "Enable this to force DNS IPv4 lookup first" is obsolete.
-
@JonathanLee DNS name servers typically provide both an IPv4 and IPv6 address. When you try and stop IPv6 it can become a game of whack-a-mole.
In your example you appear to have been severed an IPv6 address from your IPv4 name servers that you have forwarded the query to. The lack of a route is what you should expect with your settings.
I am unfamiliar with your proxy settings but unbound may have an option to only serve A records. The trouble is that there are sites out there that link directly to an actual IPv6 address, rather than a name to be resolved.
️
-
@RobbieTT
I found this it is already set,Enable IPv6, "yes" or "no".
# do-ip6: yes"*do-ip6: <yes or no> Enable or disable whether ip6 queries are answered or issued. Default is yes. If disabled, queries are not answered on IPv6, and queries are not sent on IPv6 to the internet nameservers. With this option you can disable the IPv6 transport for sending DNS traffic, it does not impact the contents of the DNS traffic, which may have ip4 and ip6 addresses in it. prefer-ip4: <yes or no> If enabled, prefer IPv4 transport for sending DNS queries to in- ternet nameservers. Default is no. Useful if the IPv6 netblock the server has, the entire /64 of that is not owned by one oper- ator and the reputation of the netblock /64 is an issue, using IPv4 then uses the IPv4 filters that the upstream servers have. prefer-ip6: <yes or no> If enabled, prefer IPv6 transport for sending DNS queries to in- ternet nameservers. Default is no*."
ref:
https://nlnetlabs.nl/documentation/unbound/unbound.conf/ -
Testing this...
prefer-ip4:yes
prefer-ip6:noI can't enter it into custom options I manually added it to /var/unbound/unbound.conf
I wish my ISP had IPv6 ready for me.
If I resave the DNS settings it auto deletes this custom option I can't add it into the GUI it says syntax error
-
-
@JonathanLee did not work :( deleted my config change
-
@RobbieTT said in ISP only hands out IPv4 Issue:
serve A records
If you find anything please yet me know
-
I found the custom entry solution the syntax must include server: first similar to the logs options
Ref:
https://docs.netgate.com/pfsense/en/latest/troubleshooting/dns-queries.htmlfor log-queries you have to add server: first it enables the custom options its like a keyword.
After it holds the settings
-
@JonathanLee I'd presume that the config file is read at launch and then becomes read-only when running.
️
-
@RobbieTT I got it I had to use the custom area, I needed to add server: first to let me add anymore lines after. Just like when you enable logging
server:
log-queries: yesSame needs server: first
so for me
server:
prefer-ip6: no
prefer-ip4: yesRef:
https://docs.netgate.com/pfsense/en/latest/troubleshooting/dns-queries.htmlhttps://nlnetlabs.nl/documentation/unbound/unbound.conf/
-
I have also set dns resolver type to "type transport"
typetransparent If there is a match from local data, the query is answered. If the query is for a different name, or for the same name but for a different type, the query is resolved normally. So, similar to transparent but types that are not listed in local data are resolved normally, so if an A record is in the local data that does not cause a nodata reply for AAAA queries.
Ref:
https://nlnetlabs.nl/documentation/unbound/unbound.conf/ -
Seems to work now!!!!!
" dns64-ignore-aaaa: <domain name>
List domain for which the AAAA records are ignored and the A record is used by DNS64 processing instead. Can be entered multiple times, list a new domain for which it applies, one per line. Applies also to names underneath the name given."
(researching AAAA block)ref:
https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html -
So far I have found the following to work best on my boxes to remove IPv6 as much as possible resulting in better stability of Unbound no longer crashing or hanging unresponsive at random or when forced performing IPv6 nslookups:
Unbound Custom options to remove all local and external domain AAAA responses in replies given to clients:
server: do-ip4: yes do-ip6: no prefer-ip4: yes prefer-ip6: no private-address: 10.0.0.0/8 private-address: 172.16.0.0/12 private-address: 192.168.0.0/16 private-address: 169.254.0.0/16 private-address: ::ffff:0:0/96 private-address: fd00::/8 private-address: fe80::/10 private-address: ::/0 private-address: :: local-zone: localhost.home.arpa transparent local-data: "localhost.home.arpa A 127.0.0.1" local-zone: localhost transparent local-data: "localhost A 127.0.0.1" local-zone: ip6.arpa redirect local-data: "ip6.arpa A 0.0.0.0" local-zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa redirect local-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa A 0.0.0.0" local-zone: "::/0" static dns64-ignore-aaaa: *.* do-not-query-address: :: do-not-query-address: ::1 do-not-query-address: ::/0
Shellcmd's added to Shellcmd package to load at boot to unload any auto created/started inet6 interfaces, add or relabel for any other interface names that show when running command prompt/console command
ifconfig
ifconfig lo0 inet6 ifdisabled ifconfig igb0 inet6 ifdisabled ifconfig igb1 inet6 ifdisabled ifconfig ix0 inet6 ifdisabled ifconfig lo0 inet6 fe80::1%lo0 delete ifconfig lo0 inet6 ::1 delete
These last two are system files, these adjustments here aren't saved in config.xml files so if until there is a patch or tick box added, they would need re-applied each system upgrade but do maintain general reboots -
edit /etc/inc/system.incsearch for 'localhost' around line 331 and comment out - ::1 IPv6 section of lines with /* at beginning, a * for each next line and */ at the end:/* * $hosts[] = array( * 'ipaddr' => '::1', * 'fqdn' => 'localhost.' . $syscfg['domain'], * 'name' => 'localhost', * 'domain' => $syscfg['domain'] * ); */
edit /etc/hosts.allow comment out line adding a #:
#ALL : [::1] : allow