Broken DNS client resolvers (Was: Dealing with filtered 6to4 clients)

Jeroen Massar jeroen at unfix.org
Tue Oct 27 15:29:42 CET 2009


Rémi Denis-Courmont wrote:
> On Tue, 27 Oct 2009 13:39:42 +0100, Jeroen Massar <jeroen at unfix.org> wrote:
>> As an excellent example look at:
>> https://bugs.edge.launchpad.net/ubuntu/+source/linux/+bug/417757
> 
> Hmm well, I suspect the problem is rather along the line of glibc depending
> on the little-known and hence under-used AI_ADDRCONFIG flag for correct
> RFC3484 operation. With that flag, it will only look quad-A records up if
> there is one (non-link-local) IPv6 address configured - in this case, it is
> reasonable to assume DNS works correctly, especially as Linux distros don't
> do "automatic" 6to4 setup by default.
> 
> Whether it's a glibc or a many-applications bug is debatable.

*WHICH IS NOT THE ISSUE*

(it is another one, but that generally doesn't hit anyone, as without an
IPv6 default route your packets directly return anyway with an UNREACH
when they are sent outbound thus it does not hurt in most cases)

dig @<broken dns resolver> www.microsoft.com AAAA

and the dns resolver will never ever reply that that query.

This means that your resolver will time out.

It is irrespective of having actualy IPv6 connectivity or not. It does
depend on the OS making a decision if it needs to query an AAAA record
or not which could indeed then be based on flags passed to getaddrinfo
AI_ADDRCONFIG.

Note though that AI_ADDRCONFIG stated per the man page on Debian:
8<-----------
       If hints.ai_flags includes the AI_ADDRCONFIG flag, then IPv4
addresses are returned in the  list  pointed  to  by
       result only if the local system has at least one IPv4 address
configured, and IPv6 addresses are only returned if
       the local system has at least one IPv6 address configured.
------------>

In other words, 6to4, Teredo etc and you are bust.
Also note that those are the defaults on Windows Vista and Seven...

And even if you have proper IPv6 connectivity, this DNS querying bug can
still hit you straight in the face. (Heck I had it at home with an old
WRT box but I never noticed it till I once didn't have my VPN open and
thus started using the local DNS server which was broken...)

(And gee, see why so many other people are confused about this....)

Greets,
 Jeroen


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cluenet.de/pipermail/ipv6-ops/attachments/20091027/cd9f5bbd/attachment.sig>


More information about the ipv6-ops mailing list