[opensuse] Ipv6 and dns - openSUSE Users - openSUSE Mailing Lists

newer
[opensuse] Serial ports on...

[opensuse] Ipv6 and dns

older
[opensuse] YaST fails online...

Carlos E. R.

28 May 2012 28 May '12

20:36

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I have a local dns server (bind 9), and I wonder if there is some setting so that it doesn't do any IPv6 query to outside. Would that be AAAA records? Perhaps is it possible to block such queries in the firewall? - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) iEYEARECAAYFAk/DxZwACgkQtTMYHG2NR9W0cwCdFIFAcFmuDNKxDHz2Kolck2+3 BsIAnil9bBShX8UMTGxPTX9fcjkY5Pl1 =/R+K -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Reply

Sign in to reply online Use email software

Show replies by date

James Knott

28 May 28 May

20:39

Carlos E. R. wrote:

I have a local dns server (bind 9), and I wonder if there is some setting so that it doesn't do any IPv6 query to outside. Would that be AAAA records? Perhaps is it possible to block such queries in the firewall?

I don't know about bind, but I doubt you could filter it at the firewall, as you'd then have to filter all DNS requests. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Reply

Sign in to reply online Use email software

Per Jessen

29 May 29 May

08:22

James Knott wrote:

Carlos E. R. wrote:

...
I have a local dns server (bind 9), and I wonder if there is some setting so that it doesn't do any IPv6 query to outside. Would that be AAAA records? Perhaps is it possible to block such queries in the firewall?

I don't know about bind, but I doubt you could filter it at the firewall, as you'd then have to filter all DNS requests.

Not necessarily - iptables has content inspection, so it might be possible to identify individual AAAA queries. The question is if dropping such queries wouldn't just mean longer processing time? -- Per Jessen, Zürich (17.3°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Reply

Sign in to reply online Use email software

Carl Hartung

15:43

On Tue, 29 May 2012 08:22:54 +0200 Per Jessen wrote:

James Knott wrote:

...
Carlos E. R. wrote:

...
I have a local dns server (bind 9), and I wonder if there is some setting so that it doesn't do any IPv6 query to outside. Would that be AAAA records? Perhaps is it possible to block such queries in the firewall?

I don't know about bind, but I doubt you could filter it at the firewall, as you'd then have to filter all DNS requests.

Not necessarily - iptables has content inspection, so it might be possible to identify individual AAAA queries. The question is if dropping such queries wouldn't just mean longer processing time?

At the risk of pointing out the obvious and unintentionally insulting someone, in this case I'd recommend the 'BIND 9 Administrator Reference Manual' from Internet Systems Consortium, available at this page on their site under 'Reference and FAQ'. There is also a 'new KnowledgeBase' available linked from this page: http://www.isc.org/software/bind/documentation I'm not sure I exactly understand your requirement, Carlos, but if it can be done, the BIND 9 ARM is the penultimate named.conf 'cook book' :-) hth & regards, Carl -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Reply

Sign in to reply online Use email software

Carlos E. R.

16:59

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-29 15:43, Carl Hartung wrote:

At the risk of pointing out the obvious and unintentionally insulting someone, in this case I'd recommend the 'BIND 9 Administrator Reference Manual' from Internet Systems Consortium, available at this page on their site under 'Reference and FAQ'. There is also a 'new KnowledgeBase' available linked from this page:

http://www.isc.org/software/bind/documentation

I'm not sure I exactly understand your requirement, Carlos, but if it can be done, the BIND 9 ARM is the penultimate named.conf 'cook book' :-)

But the point of posting here is that perhaps somebody already knows how to do it, and not force me to study that documentation in depth and become a bind expert. What I did was search for the word ipv6 in the documentation included with named, which includes the FAQ. I also searched for ipv6 in the link you posted, and nothing comes to light close to my requirement. What I want is simply that when something searches for an address, the answer should not include an IPv6 address, no matter what. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/E5EoACgkQIvFNjefEBxor8gCfacnCwgbtZK0ohjH477/SWeRW gB4AniCmdGQ8rc6nwLLiBNdO5xs8p5xA =BWIA -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Reply

Sign in to reply online Use email software

Per Jessen

17:46

Carlos E. R. wrote:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 2012-05-29 15:43, Carl Hartung wrote:

...
At the risk of pointing out the obvious and unintentionally insulting someone, in this case I'd recommend the 'BIND 9 Administrator Reference Manual' from Internet Systems Consortium, available at this page on their site under 'Reference and FAQ'. There is also a 'new KnowledgeBase' available linked from this page:

http://www.isc.org/software/bind/documentation

I'm not sure I exactly understand your requirement, Carlos, but if it can be done, the BIND 9 ARM is the penultimate named.conf 'cook book' :-)

But the point of posting here is that perhaps somebody already knows how to do it, and not force me to study that documentation in depth and become a bind expert. What I did was search for the word ipv6 in the documentation included with named, which includes the FAQ. I also searched for ipv6 in the link you posted, and nothing comes to light close to my requirement.

What I want is simply that when something searches for an address, the answer should not include an IPv6 address, no matter what.

Yes, that is understood - I haven't got the bind9 admin manual memorized word for word, but I don't recall ever seeing anything that would allow one to suppress a reply or ignore a query based on the type/contents. Personally I doubt if anyone happens to know how to do it - it is a highly unusual request. -- Per Jessen, Zürich (24.9°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Reply

Sign in to reply online Use email software

Carl Hartung

17:46

On Tue, 29 May 2012 16:59:22 +0200 "Carlos E. R." wrote: <snipped>

What I want is simply that when something searches for an address, the answer should not include an IPv6 address, no matter what.

Got it now, thanks! :-) Edit named.conf, change "any" to "none" for item 'listen-on-v6 port 53': options { listen-on port 53 { any; }; - - - - - 8< - - - - - listen-on-v6 port 53 { none; - - - - - 8< - - - - - }; restart bind -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Reply

Sign in to reply online Use email software

Per Jessen

17:52

Carl Hartung wrote:

On Tue, 29 May 2012 16:59:22 +0200 "Carlos E. R." wrote:

<snipped>

...
What I want is simply that when something searches for an address, the answer should not include an IPv6 address, no matter what.

Got it now, thanks! :-)

Edit named.conf, change "any" to "none" for item 'listen-on-v6 port 53':

options { listen-on port 53 { any; }; - - - - - 8< - - - - - listen-on-v6 port 53 { none; - - - - - 8< - - - - - };

restart bind

That doesn't do it, unfortunately. That only controls if bind should receive queries from IPv6 networks, not whether it should not return AAAA records. -- Per Jessen, Zürich (25.5°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Reply

Sign in to reply online Use email software

Carl Hartung

18:48

On Tue, 29 May 2012 17:52:15 +0200 Per Jessen wrote:

Carl Hartung wrote:

...
On Tue, 29 May 2012 16:59:22 +0200 "Carlos E. R." wrote:

<snipped>

...
What I want is simply that when something searches for an address, the answer should not include an IPv6 address, no matter what.

Got it now, thanks! :-)

Edit named.conf, change "any" to "none" for item 'listen-on-v6 port 53':

options { listen-on port 53 { any; }; - - - - - 8< - - - - - listen-on-v6 port 53 { none; - - - - - 8< - - - - - };

restart bind

That doesn't do it, unfortunately. That only controls if bind should receive queries from IPv6 networks, not whether it should not return AAAA records.

Pardon my denseness and I'm certainly not an expert, but doesn't restricting the server to operating in 'IPv4 only' mode cause it to only return IPv4 addresses? How can it return IPv6 responses via port 53 in the IPv4 address space (without tunneling)? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Reply

Sign in to reply online Use email software

Per Jessen

19:33

Carl Hartung wrote:

On Tue, 29 May 2012 17:52:15 +0200 Per Jessen wrote:

...
Carl Hartung wrote:

...
On Tue, 29 May 2012 16:59:22 +0200 "Carlos E. R." wrote:

<snipped>

...
What I want is simply that when something searches for an address, the answer should not include an IPv6 address, no matter what.

Got it now, thanks! :-)

Edit named.conf, change "any" to "none" for item 'listen-on-v6 port 53':

options { listen-on port 53 { any; }; - - - - - 8< - - - - - listen-on-v6 port 53 { none; - - - - - 8< - - - - - };

restart bind

That doesn't do it, unfortunately. That only controls if bind should receive queries from IPv6 networks, not whether it should not return AAAA records.

Pardon my denseness and I'm certainly not an expert, but doesn't restricting the server to operating in 'IPv4 only' mode cause it to only return IPv4 addresses? How can it return IPv6 responses via port 53 in the IPv4 address space (without tunneling)?

We're not talking about responses going over IPv6, but about responses with AAAA DNS records (which happen to be IPv6 addresses). The actual communication might happen over IPv4, -5 or -6 or even carrier pigeon (RFC1149). :-) -- Per Jessen, Zürich (23.6°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Reply

Sign in to reply online Use email software

Carl Hartung

20:24

On Tue, 29 May 2012 19:33:59 +0200 Per Jessen wrote:

Carl Hartung wrote:

...
On Tue, 29 May 2012 17:52:15 +0200 Per Jessen wrote:

...
Carl Hartung wrote:

...
On Tue, 29 May 2012 16:59:22 +0200 "Carlos E. R." wrote:

<snipped>

...
What I want is simply that when something searches for an address, the answer should not include an IPv6 address, no matter what.

Got it now, thanks! :-)

Edit named.conf, change "any" to "none" for item 'listen-on-v6 port 53':

options { listen-on port 53 { any; }; - - - - - 8< - - - - - listen-on-v6 port 53 { none; - - - - - 8< - - - - - };

restart bind

That doesn't do it, unfortunately. That only controls if bind should receive queries from IPv6 networks, not whether it should not return AAAA records.

Pardon my denseness and I'm certainly not an expert, but doesn't restricting the server to operating in 'IPv4 only' mode cause it to only return IPv4 addresses? How can it return IPv6 responses via port 53 in the IPv4 address space (without tunneling)?

We're not talking about responses going over IPv6, but about responses with AAAA DNS records (which happen to be IPv6 addresses). The actual communication might happen over IPv4, -5 or -6 or even carrier pigeon (RFC1149). :-)

I get this part, Per. I really do - at least I /thought/ I did. This explains why, when I run a query via cli from my IPv4 network, I get back a listing containing both addresses (if the IPv6 address exists.) But that's a diagnostic procedure, right? It isn't an exact replacement for the 'live' transaction that occurs between, say, a browser on an IPv4 network and a DNS server configured for, and residing on, an IPv6 network, right? IOW, in everyday operation, if a request arrives at an IPv6 enabled server on IPv4 port 53, the fact that it arrives at the IPv4 address results in the IPv4 address, alone, being returned - the rational being it is presumed that the client is unable to use the IPv6 address. Am I way out past left field here today? :-) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Reply

Sign in to reply online Use email software

Per Jessen

21:33

Carl Hartung wrote:

On Tue, 29 May 2012 19:33:59 +0200 Per Jessen wrote:

[snip]

...
We're not talking about responses going over IPv6, but about responses with AAAA DNS records (which happen to be IPv6 addresses). The actual communication might happen over IPv4, -5 or -6 or even carrier pigeon (RFC1149). :-)

I get this part, Per. I really do - at least I /thought/ I did. This explains why, when I run a query via cli from my IPv4 network, I get back a listing containing both addresses (if the IPv6 address exists.)

Exactly.

But that's a diagnostic procedure, right?

Nope.

It isn't an exact replacement for the 'live' transaction that occurs between, say, a browser on an IPv4 network and a DNS server configured for, and residing on, an IPv6 network, right? IOW, in everyday operation, if a request arrives at an IPv6 enabled server on IPv4 port 53, the fact that it arrives at the IPv4 address results in the IPv4 address, alone, being returned - the rational being it is presumed that the client is unable to use the IPv6 address.

Am I way out past left field here today? :-)

Yeah ... how a DNS query arrives will at most determine how the response will be sent back. Whether a DNS query arrives via IPv4 or IPv6 does not in any way determine what the response contains. -- Per Jessen, Zürich (19.6°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Reply

Sign in to reply online Use email software

Carl Hartung

21:49

On Tue, 29 May 2012 21:33:13 +0200 Per Jessen wrote:

Carl Hartung wrote:

...
On Tue, 29 May 2012 19:33:59 +0200 Per Jessen wrote:

[snip]

...
...
We're not talking about responses going over IPv6, but about responses with AAAA DNS records (which happen to be IPv6 addresses). The actual communication might happen over IPv4, -5 or -6 or even carrier pigeon (RFC1149). :-)

I get this part, Per. I really do - at least I /thought/ I did. This explains why, when I run a query via cli from my IPv4 network, I get back a listing containing both addresses (if the IPv6 address exists.)

Exactly.

...
But that's a diagnostic procedure, right?

Nope.

...
It isn't an exact replacement for the 'live' transaction that occurs between, say, a browser on an IPv4 network and a DNS server configured for, and residing on, an IPv6 network, right? IOW, in everyday operation, if a request arrives at an IPv6 enabled server on IPv4 port 53, the fact that it arrives at the IPv4 address results in the IPv4 address, alone, being returned - the rational being it is presumed that the client is unable to use the IPv6 address.

Am I way out past left field here today? :-)

Yeah ... how a DNS query arrives will at most determine how the response will be sent back. Whether a DNS query arrives via IPv4 or IPv6 does not in any way determine what the response contains.

So the server sends back two records instead of one, and the client just discards the one it can't use. That's not very efficient (stupid server!) Thanks for the clarification ;-) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Reply

Sign in to reply online Use email software

Carlos E. R.

22:29

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-29 21:49, Carl Hartung wrote:

On Tue, 29 May 2012 21:33:13 +0200 Per Jessen <> wrote:

Thanks for all the responses, first thing .-)

...
Yeah ... how a DNS query arrives will at most determine how the response will be sent back. Whether a DNS query arrives via IPv4 or IPv6 does not in any way determine what the response contains.

So the server sends back two records instead of one, and the client just discards the one it can't use. That's not very efficient (stupid server!) Thanks for the clarification ;-)

The problem is this: cer@Telcontar:~> host download.opensuse.org download.opensuse.org has address 195.135.221.134 download.opensuse.org has IPv6 address 2001:67c:2178:8::13 cer@Telcontar:~> Now look at this message from the kernel when booting and setting up the network: <0.7> 2012-05-26 14:27:40 Telcontar kernel - - - [ 266.098003] eth0: no IPv6 routers present Nevertheless, if the IPv6 address fails, programs attempt to send IPv6 over internet, even though there is no IPv6 router, only same segment transport. One method of avoiding these connectivity problems would be to somehow not getting the IPv6 address in DNS queries, somehow. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/FMaYACgkQIvFNjefEBxqMvwCghP88uNRuSriNrweFIUYWYCms P/EAoIPZMv5WOJBld39CNsIlnoYM2Y00 =UQS0 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Reply

Sign in to reply online Use email software

Carlos E. R.

30 May 30 May

12:26

New subject: Why does the kernel use IPv6 when there is no routing [Was: Re: [opensuse] Ipv6 and dns]

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-29 22:29, Carlos E. R. wrote:

The problem is this:

...

Now look at this message from the kernel when booting and setting up the network:

<0.7> 2012-05-26 14:27:40 Telcontar kernel - - - [ 266.098003] eth0: no IPv6 routers present

Why, if the kernel knows it is impossible to route IPv6 addresses, why does it still send them? That message should be enough to disable internet IPv6. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/F9ewACgkQIvFNjefEBxoe5wCg2SNn/s4PYwKEO6wIKadzegEV yG0AoIsJNdCgyNKC6QIV6ofO7Yaqhkid =2ZDE -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Reply

Sign in to reply online Use email software

Per Jessen

12:47

New subject: Why does the kernel use IPv6 when there is no routing [Was: Re: [opensuse] Ipv6 and dns]

Carlos E. R. wrote:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 2012-05-29 22:29, Carlos E. R. wrote:

...
The problem is this:

...

...
Now look at this message from the kernel when booting and setting up the network:

<0.7> 2012-05-26 14:27:40 Telcontar kernel - - - [ 266.098003] eth0: no IPv6 routers present

Why, if the kernel knows it is impossible to route IPv6 addresses, why does it still send them? That message should be enough to disable internet IPv6.

I guess it's not the kernel, but an application that tries. Also, lack of a default route could be just a temporary issue. -- Per Jessen, Zürich (22.3°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Reply

Sign in to reply online Use email software

Carlos E. R.

12:51

New subject: Why does the kernel use IPv6 when there is no routing [Was: Re: [opensuse] Ipv6 and dns]

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-30 12:47, Per Jessen wrote:

Carlos E. R. wrote:

I guess it's not the kernel, but an application that tries. Also, lack of a default route could be just a temporary issue.

Well, the kernel should say "no" immediately, till it knows that there is a route. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/F+5UACgkQIvFNjefEBxrTeACfdopBc8R/UKP+v1y2JPd0gRkI 9twAn0XzMoR/X6MnGdziQD390Rq4lzbf =ecNU -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Reply

Sign in to reply online Use email software

Per Jessen

13:43

New subject: Why does the kernel use IPv6 when there is no routing [Was: Re: [opensuse] Ipv6 and dns]

Carlos E. R. wrote:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 2012-05-30 12:47, Per Jessen wrote:

...
Carlos E. R. wrote:

...
I guess it's not the kernel, but an application that tries. Also, lack of a default route could be just a temporary issue.

Well, the kernel should say "no" immediately, till it knows that there is a route.

You could try openeing a bugreport/enhancement request - my personal feeling is that it is working as designed. After all, networking doesn't shut down just because there is no external route. -- Per Jessen, Zürich (23.6°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Reply

Sign in to reply online Use email software

Carlos E. R.

13:51

New subject: Why does the kernel use IPv6 when there is no routing [Was: Re: [opensuse] Ipv6 and dns]

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-30 13:43, Per Jessen wrote:

Carlos E. R. wrote:

...
Well, the kernel should say "no" immediately, till it knows that there is a route.

You could try openeing a bugreport/enhancement request - my personal feeling is that it is working as designed. After all, networking doesn't shut down just because there is no external route.

I think you get immediately a response "no route to host". - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/GCbwACgkQIvFNjefEBxrh6wCgr6pE7PdWa3BVR7oIeVAAWBvK uZwAniE8BwIVsRoP+fuFOyes6cZ7Atw1 =p7cq -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Reply

Sign in to reply online Use email software

James Knott

15:49

New subject: Why does the kernel use IPv6 when there is no routing [Was: Re: [opensuse] Ipv6 and dns]

Per Jessen wrote:

Carlos E. R. wrote:

...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 2012-05-30 12:47, Per Jessen wrote:

...
Carlos E. R. wrote: I guess it's not the kernel, but an application that tries. Also, lack of a default route could be just a temporary issue. Well, the kernel should say "no" immediately, till it knows that there is a route. You could try openeing a bugreport/enhancement request - my personal feeling is that it is working as designed. After all, networking doesn't shut down just because there is no external route.

Quite so. Every IPv6 capable device has a link local address that can be used for communication within the local LAN. For example, when you use a router, you use it's link local address. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Reply

Sign in to reply online Use email software

Carlos E. R.

16:01

New subject: Why does the kernel use IPv6 when there is no routing [Was: Re: [opensuse] Ipv6 and dns]

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-30 15:49, James Knott wrote:

Per Jessen wrote:

...
Carlos E. R. wrote:

...
...
...
I guess it's not the kernel, but an application that tries. Also, lack of a default route could be just a temporary issue. Well, the kernel should say "no" immediately, till it knows that there is a route. You could try openeing a bugreport/enhancement request - my personal feeling is that it is working as designed. After all, networking doesn't shut down just because there is no external route.

Quite so. Every IPv6 capable device has a link local address that can be used for communication within the local LAN. For example, when you use a router, you use it's link local address.

I understand that local addresses are accessible. But how about internet addresses, should they be considered accessible without an IPv6 capable router? - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/GKEAACgkQIvFNjefEBxr7kgCff/9OzTBx3M5618HAsyK0vohV 48IAoMJEI1ooNJ5Gym2h9sU9oGtCAIz7 =mho7 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Reply

Sign in to reply online Use email software

James Knott

16:09

New subject: Why does the kernel use IPv6 when there is no routing [Was: Re: [opensuse] Ipv6 and dns]

Carlos E. R. wrote:

...
Quite so. Every IPv6 capable device has a link local address that can

...
be used for communication within the local LAN. For example, when you use a router, you use it's link local address. I understand that local addresses are accessible. But how about internet addresses, should they be considered accessible without an IPv6 capable router?

I don't know the details, but the IP stack should be able to recogize what's reachable and what's not. I don't seem to have a problem with the apps I use. As I mentioned in an earlier note, my firewall resolv.conf contains 2 IPv6 DNS server addresses and 1 IPv4. The main reason I have the IPv4 one is that the 6in4 tunnel software needs to use a DNS to start up and find the tunnel broker. If I had only IPv6 DNS servers available, it would never work. So, the tunnel software manages to get past those 2 IPv6 addresses and reach the IPv4 DNS. Other apps, such as browsers and email likewise have no problem working regardless of whether or not IPv6 is available. Perhaps the problem is within that app that you're having problems with. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Reply

Sign in to reply online Use email software

James Knott

14:32

New subject: Why does the kernel use IPv6 when there is no routing [Was: Re: [opensuse] Ipv6 and dns]

Carlos E. R. wrote:

...
Now look at this message from the kernel when booting and setting up

...
the network:

<0.7> 2012-05-26 14:27:40 Telcontar kernel - - - [ 266.098003] eth0: no IPv6 routers present Why, if the kernel knows it is impossible to route IPv6 addresses, why does it still send them? That message should be enough to disable internet IPv6.

-

It is entirely possible to use IPv6 without routing IPv6 addresses. Link local addresses (the ones that start with FE80) can be used on the local network. They're also used for forwarding through a router. For example, here's my IPv6 default route: default via fe80::202:a5ff:fe7b:d908. Also, the Windows "Home Group" uses only IPv6, regardless of whether there's IPv6 routing. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Reply

Sign in to reply online Use email software

Carlos E. R.

14:36

New subject: Why does the kernel use IPv6 when there is no routing [Was: Re: [opensuse] Ipv6 and dns]

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-30 14:32, James Knott wrote:

Carlos E. R. wrote:

...
...
Now look at this message from the kernel when booting and setting up

...
the network:

...
<0.7> 2012-05-26 14:27:40 Telcontar kernel - - - [ 266.098003] eth0: no IPv6 routers present Why, if the kernel knows it is impossible to route IPv6 addresses, why does it still send them? That message should be enough to disable internet IPv6.

-

It is entirely possible to use IPv6 without routing IPv6 addresses. Link local addresses (the ones that start with FE80) can be used on the local network. They're also used for forwarding through a router. For example, here's my IPv6 default route: default via fe80::202:a5ff:fe7b:d908. Also, the Windows "Home Group" uses only IPv6, regardless of whether there's IPv6 routing.

For local addresses, I understand. But internet addresses are not accessible, no? - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/GFGgACgkQIvFNjefEBxoNXACfV9yKVbmCosIR6wechUlp4yKs 3d4An3ovlYZq7/jD02eYfIyEUuiTuKnA =0d0R -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Reply

Sign in to reply online Use email software

James Knott

16:02

New subject: Why does the kernel use IPv6 when there is no routing [Was: Re: [opensuse] Ipv6 and dns]

Carlos E. R. wrote:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 2012-05-30 14:32, James Knott wrote:

...
...
...
Now look at this message from the kernel when booting and setting up

...
the network:

...
<0.7> 2012-05-26 14:27:40 Telcontar kernel - - - [ 266.098003] eth0: no IPv6 routers present Why, if the kernel knows it is impossible to route IPv6 addresses, why does it still send them? That message should be enough to disable internet IPv6.

- It is entirely possible to use IPv6 without routing IPv6 addresses. Link local addresses (the ones that start with FE80) can be used on

Carlos E. R. wrote: the local network. They're also used for forwarding through a router. For example, here's my IPv6 default route: default via fe80::202:a5ff:fe7b:d908. Also, the Windows "Home Group" uses only IPv6, regardless of whether there's IPv6 routing. For local addresses, I understand. But internet addresses are not accessible, no?

What if the failure is only temporary? Should an app stop trying forever, because a route wasn't reachable? The proper method is to recognize the failure and move on. IPv6 is coming and dual stack will be common for years to come. Applications had better be able to deal with that fact. Also, Linux has had IPv6 support for years. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Reply

Sign in to reply online Use email software

James Knott

29 May 29 May

22:54

Carl Hartung wrote:

So the server sends back two records instead of one, and the client just discards the one it can't use. That's not very efficient (stupid server!)

How is the server to know whether the requester can use IPv6 addresses? As I mentioned in another note, DNS requests on my local network can be either IPv4 or IPv6, but all computers can access IPv6 sites. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Reply

Sign in to reply online Use email software

Carl Hartung

30 May 30 May

00:37

On Tue, 29 May 2012 16:54:36 -0400 James Knott wrote:

Carl Hartung wrote:

...
So the server sends back two records instead of one, and the client just discards the one it can't use. That's not very efficient (stupid server!)

How is the server to know whether the requester can use IPv6 addresses?

An IPv6 capable requester will use the DNS server's IPv6 address. Any requester directing it's inquiries to the server's IPv4 address could be presumed incapable of using IPv6.

As I mentioned in another note, DNS requests on my local network can be either IPv4 or IPv6, but all computers can access IPv6 sites.

Doesn't this just mean that your network has built-in backwards compatibility so it can support legacy 'IPv4 only' systems? Certainly it doesn't mean that your IPv6 systems are pestering the DNS server on it's IPv4 address? :-) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Reply

Sign in to reply online Use email software

James Knott

01:47

Carl Hartung wrote:

On Tue, 29 May 2012 16:54:36 -0400 James Knott wrote:

...
...
So the server sends back two records instead of one, and the client just discards the one it can't use. That's not very efficient (stupid server!) How is the server to know whether the requester can use IPv6 addresses? An IPv6 capable requester will use the DNS server's IPv6 address. Any requester directing it's inquiries to the server's IPv4 address could be

Carl Hartung wrote: presumed incapable of using IPv6.

...
As I mentioned in another note, DNS requests on my local network can be either IPv4 or IPv6, but all computers can access IPv6 sites. Doesn't this just mean that your network has built-in backwards compatibility so it can support legacy 'IPv4 only' systems? Certainly it doesn't mean that your IPv6 systems are pestering the DNS server on it's IPv4 address? :-)

As I mentioned earlier, the only thing that determines whether IPv4 or IPv6 is used is static configuration or DHCP. With static configuration, I specify the IPv6 address. However, since the DHCP server is not capable of handing out IPv6 addresses, any device using DHCP uses the IPv4 address. There are also many DNS servers on the web that hand out IPv6 info over IPv4. I can use them, if I choose, and still get IPv6 info. In fact, I was doing that before I found a suitable IPv6 address DNS server. So, not only cannot a DNS server assume that an IPv4 request means the requester cannot use IPv6, it must not. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Reply

Sign in to reply online Use email software

Per Jessen

08:43

Carl Hartung wrote:

On Tue, 29 May 2012 16:54:36 -0400 James Knott wrote:

...
Carl Hartung wrote:

...
So the server sends back two records instead of one, and the client just discards the one it can't use. That's not very efficient (stupid server!)

How is the server to know whether the requester can use IPv6 addresses?

An IPv6 capable requester will use the DNS server's IPv6 address.

Requester = application - which could very well be IPv6-capable, regardless of whether the platform is or isn't. The requester simply asks "give me all addresses for <blah>".

Any requester directing it's inquiries to the server's IPv4 address could be presumed incapable of using IPv6.

No, that would be a wrong presumption. In particular if the requester ask for all addresses. -- Per Jessen, Zürich (17.0°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Reply

Sign in to reply online Use email software

Per Jessen

08:40

Carl Hartung wrote:

On Tue, 29 May 2012 21:33:13 +0200 Per Jessen wrote:

...
how a DNS query arrives will at most determine how the response will be sent back. Whether a DNS query arrives via IPv4 or IPv6 does not in any way determine what the response contains.

So the server sends back two records instead of one, and the client just discards the one it can't use. That's not very efficient (stupid server!) Thanks for the clarification ;-)

Computers are stupid, they only do what they're told :-) The server just answers the query - if the client asked for both kinds of addresses (which an IPv6-aware application would), that's what the server will respond with (if available). -- Per Jessen, Zürich (16.8°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Reply

Sign in to reply online Use email software

James Knott

29 May 29 May

22:51

Per Jessen wrote:

Yeah ... how a DNS query arrives will at most determine how the response will be sent back. Whether a DNS query arrives via IPv4 or IPv6 does not in any way determine what the response contains.

Quite so. I run dnsmasq on my firewall. The resolv.conf file for that computer lists 2 different IPv6 DNS servers and one IPv4. Computers on my network with static configuration use the IPv6 address to access dnsmasq and those that use DHCP, use IPv4. Either way, all computers get the exact same info, whether IPv6 or IPv4 addresses. I guess Carlos is really in a bind with this one. ;-) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Reply

Sign in to reply online Use email software

Per Jessen

30 May 30 May

08:37

James Knott wrote:

Per Jessen wrote:

...
Yeah ... how a DNS query arrives will at most determine how the response will be sent back. Whether a DNS query arrives via IPv4 or IPv6 does not in any way determine what the response contains.

Quite so. I run dnsmasq on my firewall. The resolv.conf file for that computer lists 2 different IPv6 DNS servers and one IPv4. Computers on my network with static configuration use the IPv6 address to access dnsmasq and those that use DHCP, use IPv4. Either way, all computers get the exact same info, whether IPv6 or IPv4 addresses.

I guess Carlos is really in a bind with this one. ;-)

Haha, good one! If Carlos is determined to go this way, I think his only option might be to use iptables content inspection and fiddle with the incoming query packet - there should be flags indicating the desired address types: ipv4, ipv6 or both. -- Per Jessen, Zürich (16.8°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Reply

Sign in to reply online Use email software

Carlos E. R.

12:21

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-05-30 08:37, Per Jessen wrote:

James Knott wrote:

...
I guess Carlos is really in a bind with this one. ;-)

Haha, good one!

Yah, right :-?

If Carlos is determined to go this way, I think his only option might be to use iptables content inspection and fiddle with the incoming query packet - there should be flags indicating the desired address types: ipv4, ipv6 or both.

Well, it is something I don't know how to do :-} - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/F9KIACgkQIvFNjefEBxrxWACff1xBZIHzxImZI6us0uJ4lGuh U0QAoJHIZ309V970CxbVch/duvuo4lji =LGQu -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Reply

Sign in to reply online Use email software

Per Jessen

12:44

Carlos E. R. wrote:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 2012-05-30 08:37, Per Jessen wrote:

...
James Knott wrote:

...
...
I guess Carlos is really in a bind with this one. ;-)

Haha, good one!

Yah, right :-?

...
If Carlos is determined to go this way, I think his only option might be to use iptables content inspection and fiddle with the incoming query packet - there should be flags indicating the desired address types: ipv4, ipv6 or both.

Well, it is something I don't know how to do :-}

Right now I don't know either, but it's a matter of looking at a DNS query packet and then writing some iptables rules that will a) identify such packets and b) modify the right bits. -- Per Jessen, Zürich (22.2°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Reply

Sign in to reply online Use email software

4346

Age (days ago)

4348

Last active (days ago)

Download

33 comments

5 participants

tags

participants (5)

Carl Hartung
Carlos E. R.
Carlos E. R.
James Knott
Per Jessen