Broken DNS client resolvers (Was: Dealing with filtered 6to4 clients)

Jeroen Massar jeroen at unfix.org
Tue Oct 27 13:39:42 CET 2009


Martin List-Petersen wrote:
> Geert Hendrickx wrote:
>> On Tue, Oct 27, 2009 at 12:10:35PM +0000, Martin List-Petersen wrote:
>>> Martin List-Petersen wrote:
>>>> I wouldn't encourage that, but if your eyeball networks are that
>>>> paranoid, that's a way, how they can be in control. They could then
>>>> choose not to provide AAAA records to 6to4- and teredo- clients.
>>>>
>>>> Anyhow .. that's a hack and not to be encouraged, really.
>>> Arghh .. me not thinking today. Obviously they can't know, what the
>>> client has, but they could whitelist known good deployments then.
>>
>> Or, on your side, you could not serve AAAA records to (the DNS chaches of)
>> the problematic network(s)?
> 
> That is the better approach alright.

Which doesn't help you much.

The problem with broken clients is that they are broken and that you do
not have control over them (which is good from one point ;)

As an excellent example look at:
https://bugs.edge.launchpad.net/ubuntu/+source/linux/+bug/417757

In short: host has IPv6 enabled, application does a getaddrinfo(), which
means it will ask for AAAA and then A from the resolvers. The DNS
resolver though sees a DNS query for an AAAA record and does "eeehmm
dunno, go away" and then just drops the request. The DNS client thus has
to time out, as that is the only option it has. The client then send a
request for an A record and gets a direct response.

Users solution: disable IPv6

Real solution: fix/replace the broken DNS server (eg change to OpenDNS*)
using the upstream DNS servers directly instead of the one in the DSL
modem generally is already a good enough fix as you bypass the problem.
Installing a local DNS recursor is another good option.

Still... it is an end-user issue which the network admin has no control
over and also can't easily check, nor does it actually require any IPv6
packets to flow over the network at all, just an active IPv6 stack, some
OSs are a little 'smart' about this, but one can't be completely smart.

Oh and yes, it also applies to Windows and every other OS...

Greets,
 Jeroen

* = also broken in various ways:
https://lists.dns-oarc.net/pipermail/dns-operations/2009-July/004217.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cluenet.de/pipermail/ipv6-ops/attachments/20091027/772286e0/attachment.sig>


More information about the ipv6-ops mailing list