Web lists-archives.com

Re: 9.2 DNS Confusion




Le 26/11/2017 à 14:23, Simon Slaytor a écrit :

Today I Wiresharked the network and I can what's happening now.

When I don a plain ping www.apple.com the resolver is sending 2x requests to the FW's DNS proxy the first for an IPv4 A record and the 2nd for an IPv6 AAAA record!

You sound surprised. That was obvious though.

Note : In previous versions up to Jessie, ping was IPv4 only and there was a separate ping6 executable for IPv6. Since Stretch, ping and ping6 are now the same executable which is able to do both IPv4 and IPv6. When invoked as ping4 or with -4, it does IPv4 only. By default, it behaves as most IPv6-capable programs do, asking the resolver for IPv4 and IPv6 addresses of the target name.

When I specify the -4 flag in PING the resolver sends only 1x request which is for the IPv4 A record.

It would seem that the DNS Proxy on my SSG's (SSG140 ScOS 6.3r24) doesn't like the AAAA request (rightly so I guess as IPv6 is not enabled anywhere!) and returns nothing at all when this request is made.

Not rightly. Your DNS proxy is broken. The ability to properly process DNS queries for AAAA records has nothing to do with IPv6 connectivity.

So my question changes to 'How do I get the resolver to NOT send the AAAA request, simply disabling IPv6 on the box does not prevent this behaviour?'

How did you disable IPv6 on the box ?
I did so by appending ipv6.disable=1 to the kernel command line, and it actually prevented the resolver to send DNS queries for AAAA records.

This setting totally disables IPv6 features in the kernel and is not recommended because it can break some programs which rely on the kernel IPv6 features, even though IPv6 connectivity is not available. The recommended setting is ipv6.disable_ipv6=1 which disable IPv6 on network interfaces but still enables IPv6 features in the kernel. However, according to my tests, it does not prevent the resolver to send DNS queries for AAAA records.

I have not tested it because I do not have a broken DNS server, but there are a couple of options in /etc/resolv.conf which may help workaround your DNS proxy brokenness.
See man resolv.conf about single-request and single-request-reopen.

Or you can just use ping -4 or ping4 as you know you don't have any IPv6 connectivity.

From: "Dan Ritter" <dsr@xxxxxxxxxxxxxxxx>
To: "Simon Slaytor" <simon@xxxxxxxxxxx>
Cc: debian-user@xxxxxxxxxxxxxxxx
Sent: 17/11/2017 16:39:57
Subject: Re: 9.2 DNS Confusion

You can effectively disable IPv6 on a Debian box by editing
/etc/gai.conf and uncommenting the line:

precedence ::ffff:0:0/96  100

No, this is far from disabling IPv6. It just gives precedence to IPv4 addresses over IPv6 addresses. But the resolver still does AAAA record lookups and IPv6 addresses are used when no IPv4 address is returned.