Re: 9.2 DNS Confusion
- Date: Sun, 26 Nov 2017 16:07:52 +0100
- From: Pascal Hambourg <pascal@xxxxxxxxxxxxxxx>
- Subject: Re: 9.2 DNS Confusion
Le 26/11/2017 à 14:23, Simon Slaytor a écrit :
Today I Wiresharked the network and I can what's happening now.
When I don a plain ping www.apple.com the resolver is sending 2x
requests to the FW's DNS proxy the first for an IPv4 A record and the
2nd for an IPv6 AAAA record!
You sound surprised. That was obvious though.
Note : In previous versions up to Jessie, ping was IPv4 only and there
was a separate ping6 executable for IPv6. Since Stretch, ping and ping6
are now the same executable which is able to do both IPv4 and IPv6. When
invoked as ping4 or with -4, it does IPv4 only. By default, it behaves
as most IPv6-capable programs do, asking the resolver for IPv4 and IPv6
addresses of the target name.
When I specify the -4 flag in PING the resolver sends only 1x request
which is for the IPv4 A record.
It would seem that the DNS Proxy on my SSG's (SSG140 ScOS 6.3r24)
doesn't like the AAAA request (rightly so I guess as IPv6 is not enabled
anywhere!) and returns nothing at all when this request is made.
Not rightly. Your DNS proxy is broken. The ability to properly process
DNS queries for AAAA records has nothing to do with IPv6 connectivity.
So my question changes to 'How do I get the resolver to NOT send the
AAAA request, simply disabling IPv6 on the box does not prevent this
How did you disable IPv6 on the box ?
I did so by appending ipv6.disable=1 to the kernel command line, and it
actually prevented the resolver to send DNS queries for AAAA records.
This setting totally disables IPv6 features in the kernel and is not
recommended because it can break some programs which rely on the kernel
IPv6 features, even though IPv6 connectivity is not available. The
recommended setting is ipv6.disable_ipv6=1 which disable IPv6 on network
interfaces but still enables IPv6 features in the kernel. However,
according to my tests, it does not prevent the resolver to send DNS
queries for AAAA records.
I have not tested it because I do not have a broken DNS server, but
there are a couple of options in /etc/resolv.conf which may help
workaround your DNS proxy brokenness.
See man resolv.conf about single-request and single-request-reopen.
Or you can just use ping -4 or ping4 as you know you don't have any IPv6
From: "Dan Ritter" <dsr@xxxxxxxxxxxxxxxx>
To: "Simon Slaytor" <simon@xxxxxxxxxxx>
Sent: 17/11/2017 16:39:57
Subject: Re: 9.2 DNS Confusion
You can effectively disable IPv6 on a Debian box by editing
/etc/gai.conf and uncommenting the line:
precedence ::ffff:0:0/96 100
No, this is far from disabling IPv6. It just gives precedence to IPv4
addresses over IPv6 addresses. But the resolver still does AAAA record
lookups and IPv6 addresses are used when no IPv4 address is returned.