Re: 9.2 DNS Confusion
- Date: Sun, 26 Nov 2017 15:17:26 +0000
- From: "Simon Slaytor" <simon@xxxxxxxxxxx>
- Subject: Re: 9.2 DNS Confusion
Surprised, no not really.
Broken DNS, yes as I say not assigning blame anywhere but yes it's the
Juniper and given I can do squat about that lets move on to another
Gai.conf, didn't suggest this did disable IPv6 I just replied to a
suggestion by another. I've used various ways to disable IPv6 the GRUB
amendment you mention is one, resolver issue appeared to still exist for
me but I will check.
Forcing IPv4 is all well and good but not a workable solution on an app
by app basis, docker is being a pita for example.
I'm chasing the juniper bunch for a solution in-case there's a magic
button, but I doubt it.
Centos 7 does not exhibit this behaviour so it does seem to be Debian
Cheers for the respone
------ Original Message ------
From: "Pascal Hambourg" <pascal@xxxxxxxxxxxxxxx>
Sent: 26/11/2017 15:07:52
Subject: Re: 9.2 DNS Confusion
Le 26/11/2017 à 14:23, Simon Slaytor a écrit :
Today I Wiresharked the network and I can what's happening now.
When I don a plain ping www.apple.com the resolver is sending 2x
requests to the FW's DNS proxy the first for an IPv4 A record and the
2nd for an IPv6 AAAA record!
You sound surprised. That was obvious though.
Note : In previous versions up to Jessie, ping was IPv4 only and there
was a separate ping6 executable for IPv6. Since Stretch, ping and ping6
are now the same executable which is able to do both IPv4 and IPv6.
When invoked as ping4 or with -4, it does IPv4 only. By default, it
behaves as most IPv6-capable programs do, asking the resolver for IPv4
and IPv6 addresses of the target name.
When I specify the -4 flag in PING the resolver sends only 1x request
which is for the IPv4 A record.
It would seem that the DNS Proxy on my SSG's (SSG140 ScOS 6.3r24)
doesn't like the AAAA request (rightly so I guess as IPv6 is not
enabled anywhere!) and returns nothing at all when this request is
Not rightly. Your DNS proxy is broken. The ability to properly process
DNS queries for AAAA records has nothing to do with IPv6 connectivity.
So my question changes to 'How do I get the resolver to NOT send the
AAAA request, simply disabling IPv6 on the box does not prevent this
How did you disable IPv6 on the box ?
I did so by appending ipv6.disable=1 to the kernel command line, and it
actually prevented the resolver to send DNS queries for AAAA records.
This setting totally disables IPv6 features in the kernel and is not
recommended because it can break some programs which rely on the kernel
IPv6 features, even though IPv6 connectivity is not available. The
recommended setting is ipv6.disable_ipv6=1 which disable IPv6 on
network interfaces but still enables IPv6 features in the kernel.
However, according to my tests, it does not prevent the resolver to
send DNS queries for AAAA records.
I have not tested it because I do not have a broken DNS server, but
there are a couple of options in /etc/resolv.conf which may help
workaround your DNS proxy brokenness.
See man resolv.conf about single-request and single-request-reopen.
Or you can just use ping -4 or ping4 as you know you don't have any
From: "Dan Ritter" <dsr@xxxxxxxxxxxxxxxx>
To: "Simon Slaytor" <simon@xxxxxxxxxxx>
Sent: 17/11/2017 16:39:57
Subject: Re: 9.2 DNS Confusion
You can effectively disable IPv6 on a Debian box by editing
/etc/gai.conf and uncommenting the line:
precedence ::ffff:0:0/96 100
No, this is far from disabling IPv6. It just gives precedence to IPv4
addresses over IPv6 addresses. But the resolver still does AAAA record
lookups and IPv6 addresses are used when no IPv4 address is returned.