Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ISP only hands out IPv4 Issue

    Scheduled Pinned Locked Moved IPv6
    14 Posts 3 Posters 823 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JonathanLeeJ
      JonathanLee
      last edited by JonathanLee

      Hello fellow Netgate Community,

      Can you please help?

      Screenshot 2023-06-22 at 9.34.15 AM.png
      (What I would like to do)

      again. . . DNS will hand out AAAA IPv6 over IPv4, thing is ISP does not have IPv6 for me....

      I am having an issue where I get handed a IPv6 address randomly by way of the pfsense DNS resolver. I have IPv6 set to disabled. I am aware of the tunnel hurricane service, I do not want to use that, I will wait until Consolidated hands me a IPv6 address. Again with my firewall set to block IPv6 and Squid proxy set to serve IPv4 and my options set to not save IPv6 addresses in the DNS, why does Chrome keep trying to resolve the URL to a IPv6 intermittently? I also have DoH disabled and blocked. What would cause this, has anyone seen this? My ISP does not have IPv6 I have even called them for confirmation. Why does this occur, as soon as I log into pfsense and use the DNS lookup it fixes it. What is causing the IPv6 to be handed out or resolved?

      Screenshot 2023-06-22 at 2.13.33 PM.png

      Screenshot 2023-06-22 at 8.37.44 AM.png

      Screenshot 2023-06-22 at 8.38.31 AM.png

      Screenshot 2023-06-22 at 8.39.20 AM.png

      Screenshot 2023-06-22 at 8.40.34 AM.png
      DoH blocked personal
      Screenshot 2023-06-22 at 8.42.09 AM.png
      Doh Blacklist provided
      Screenshot 2023-06-22 at 8.42.52 AM.png

      Screenshot 2023-06-22 at 8.44.19 AM.png

      Screenshot 2023-06-22 at 8.44.46 AM.png

      Make sure to upvote

      JonathanLeeJ 1 Reply Last reply Reply Quote 0
      • JonathanLeeJ
        JonathanLee @JonathanLee
        last edited by JonathanLee

        @JonathanLee

        Example of occurrence

        Screenshot 2023-06-22 at 9.01.22 AM.png
        I log into pfsense and DNS look up the address and it resolves after correctly with IPv4

        With all the settings it still attempts IPv6 intermittently. Squid proxy when package starts states "Enable this to force DNS IPv4 lookup first" is obsolete.

        Make sure to upvote

        RobbieTTR 1 Reply Last reply Reply Quote 0
        • RobbieTTR
          RobbieTT @JonathanLee
          last edited by

          @JonathanLee DNS name servers typically provide both an IPv4 and IPv6 address. When you try and stop IPv6 it can become a game of whack-a-mole.

          In your example you appear to have been severed an IPv6 address from your IPv4 name servers that you have forwarded the query to. The lack of a route is what you should expect with your settings.

          I am unfamiliar with your proxy settings but unbound may have an option to only serve A records. The trouble is that there are sites out there that link directly to an actual IPv6 address, rather than a name to be resolved.

          ☕️

          JonathanLeeJ 2 Replies Last reply Reply Quote 1
          • JonathanLeeJ
            JonathanLee @RobbieTT
            last edited by

            @RobbieTT
            I found this it is already set,

            Enable IPv6, "yes" or "no".
            # do-ip6: yes

            Screenshot 2023-06-22 at 9.43.38 AM.png

               "*do-ip6: <yes or no>
                      Enable  or  disable  whether ip6 queries are answered or issued.
                      Default is yes.  If disabled, queries are not answered on  IPv6,
                      and  queries  are  not sent on IPv6 to the internet nameservers.
                      With this option you can disable the IPv6 transport for  sending
                      DNS traffic, it does not impact the contents of the DNS traffic,
                      which may have ip4 and ip6 addresses in it.
            
               prefer-ip4: <yes or no>
                      If enabled, prefer IPv4 transport for sending DNS queries to in-
                      ternet  nameservers. Default is no.  Useful if the IPv6 netblock
                      the server has, the entire /64 of that is not owned by one oper-
                      ator  and  the reputation of the netblock /64 is an issue, using
                      IPv4 then uses the IPv4 filters that the upstream servers have.
            
               prefer-ip6: <yes or no>
                      If enabled, prefer IPv6 transport for sending DNS queries to in-
                      ternet nameservers. Default is no*."
            

            ref:
            https://nlnetlabs.nl/documentation/unbound/unbound.conf/

            Make sure to upvote

            JonathanLeeJ 1 Reply Last reply Reply Quote 0
            • JonathanLeeJ
              JonathanLee @JonathanLee
              last edited by JonathanLee

              @JonathanLee

              Testing this...

              prefer-ip4:yes
              prefer-ip6:no

              I can't enter it into custom options I manually added it to /var/unbound/unbound.conf

              I wish my ISP had IPv6 ready for me.

              Screenshot 2023-06-22 at 10.10.22 AM.png

              If I resave the DNS settings it auto deletes this custom option I can't add it into the GUI it says syntax error

              Make sure to upvote

              JonathanLeeJ 1 Reply Last reply Reply Quote 0
              • JonathanLeeJ
                JonathanLee @JonathanLee
                last edited by

                @JonathanLee

                Screenshot 2023-06-22 at 10.14.40 AM.png

                Make sure to upvote

                JonathanLeeJ 1 Reply Last reply Reply Quote 0
                • JonathanLeeJ
                  JonathanLee @JonathanLee
                  last edited by

                  @JonathanLee did not work :( deleted my config change

                  Make sure to upvote

                  1 Reply Last reply Reply Quote 0
                  • JonathanLeeJ
                    JonathanLee @RobbieTT
                    last edited by

                    @RobbieTT said in ISP only hands out IPv4 Issue:

                    serve A records

                    If you find anything please yet me know

                    Make sure to upvote

                    1 Reply Last reply Reply Quote 0
                    • JonathanLeeJ
                      JonathanLee
                      last edited by JonathanLee

                      I found the custom entry solution the syntax must include server: first similar to the logs options

                      Ref:
                      https://docs.netgate.com/pfsense/en/latest/troubleshooting/dns-queries.html

                      for log-queries you have to add server: first it enables the custom options its like a keyword.

                      Screenshot 2023-06-22 at 10.35.17 AM.png

                      After it holds the settings

                      Screenshot 2023-06-22 at 10.38.24 AM.png

                      Make sure to upvote

                      RobbieTTR 1 Reply Last reply Reply Quote 0
                      • RobbieTTR
                        RobbieTT @JonathanLee
                        last edited by

                        @JonathanLee I'd presume that the config file is read at launch and then becomes read-only when running.

                        ☕️

                        JonathanLeeJ 1 Reply Last reply Reply Quote 1
                        • JonathanLeeJ
                          JonathanLee @RobbieTT
                          last edited by

                          @RobbieTT I got it I had to use the custom area, I needed to add server: first to let me add anymore lines after. Just like when you enable logging

                          server:
                          log-queries: yes

                          Same needs server: first

                          so for me
                          server:
                          prefer-ip6: no
                          prefer-ip4: yes

                          Ref:
                          https://docs.netgate.com/pfsense/en/latest/troubleshooting/dns-queries.html

                          https://nlnetlabs.nl/documentation/unbound/unbound.conf/

                          Make sure to upvote

                          1 Reply Last reply Reply Quote 0
                          • JonathanLeeJ
                            JonathanLee
                            last edited by

                            I have also set dns resolver type to "type transport"

                                    typetransparent
                                         If there is a match from local data, the query  is  answered.
                                         If  the  query  is for a different name, or for the same name
                                         but for a different type, the  query  is  resolved  normally.
                                         So,  similar  to transparent but types that are not listed in
                                         local data are resolved normally, so if an A record is in the
                                         local  data  that  does  not  cause  a  nodata reply for AAAA
                                         queries.
                            

                            Ref:
                            https://nlnetlabs.nl/documentation/unbound/unbound.conf/

                            Make sure to upvote

                            JonathanLeeJ 1 Reply Last reply Reply Quote 0
                            • JonathanLeeJ
                              JonathanLee @JonathanLee
                              last edited by JonathanLee

                              @JonathanLee

                              Seems to work now!!!!!

                              " dns64-ignore-aaaa: <domain name>
                              List domain for which the AAAA records are ignored and the A record is used by DNS64 processing instead. Can be entered multiple times, list a new domain for which it applies, one per line. Applies also to names underneath the name given.
                              "

                              Screenshot 2023-06-22 at 3.32.00 PM.png
                              (researching AAAA block)

                              ref:
                              https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html

                              Make sure to upvote

                              1 Reply Last reply Reply Quote 0
                              • S
                                smolka_J
                                last edited by smolka_J

                                So far I have found the following to work best on my boxes to remove IPv6 as much as possible resulting in better stability of Unbound no longer crashing or hanging unresponsive at random or when forced performing IPv6 nslookups:

                                Unbound Custom options to remove all local and external domain AAAA responses in replies given to clients:

                                server:
                                do-ip4: yes
                                do-ip6: no
                                prefer-ip4: yes
                                prefer-ip6: no
                                private-address: 10.0.0.0/8
                                private-address: 172.16.0.0/12
                                private-address: 192.168.0.0/16
                                private-address: 169.254.0.0/16
                                private-address: ::ffff:0:0/96
                                private-address: fd00::/8
                                private-address: fe80::/10
                                private-address: ::/0
                                private-address: ::
                                local-zone: localhost.home.arpa transparent
                                local-data: "localhost.home.arpa A 127.0.0.1"
                                local-zone: localhost transparent
                                local-data: "localhost A 127.0.0.1"
                                local-zone: ip6.arpa redirect
                                local-data: "ip6.arpa A 0.0.0.0"
                                local-zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa redirect
                                local-data: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa A 0.0.0.0"
                                local-zone: "::/0" static
                                dns64-ignore-aaaa: *.*
                                do-not-query-address: ::
                                do-not-query-address: ::1
                                do-not-query-address: ::/0
                                

                                Shellcmd's added to Shellcmd package to load at boot to unload any auto created/started inet6 interfaces, add or relabel for any other interface names that show when running command prompt/console command ifconfig

                                ifconfig lo0 inet6 ifdisabled
                                ifconfig igb0 inet6 ifdisabled
                                ifconfig igb1 inet6 ifdisabled
                                ifconfig ix0 inet6 ifdisabled
                                ifconfig lo0 inet6 fe80::1%lo0 delete
                                ifconfig lo0 inet6 ::1 delete
                                

                                These last two are system files, these adjustments here aren't saved in config.xml files so if until there is a patch or tick box added, they would need re-applied each system upgrade but do maintain general reboots -
                                edit /etc/inc/system.incsearch for 'localhost' around line 331 and comment out - ::1 IPv6 section of lines with /* at beginning, a * for each next line and */ at the end:

                                /*
                                * $hosts[] = array(
                                * 'ipaddr' => '::1',
                                * 'fqdn' => 'localhost.' . $syscfg['domain'],
                                * 'name' => 'localhost',
                                * 'domain' => $syscfg['domain']
                                * );
                                */
                                

                                edit /etc/hosts.allow comment out line adding a #:

                                #ALL : [::1] : allow
                                
                                1 Reply Last reply Reply Quote 1
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.