single dns query for A and AAAA

Tassos Chatzithomaoglou achatz at forthnetgroup.gr
Tue Feb 19 23:48:19 CET 2013


Seth Mos wrote on 19/2/2013 10:00:
> On 18-2-2013 22:49, Tassos Chatzithomaoglou wrote:
>> Hi all,
>>
>> I wanted to share with you the following...
>>
>> I'm getting strange results from a DNS server when being queried through a f5 vpn
>> connection, resulting in "AAAA" queries/responses being delayed, which in turn leads to
>> unjustified IPv4 preference. "A" queries/responses are also a bit delayed in comparison to
>> executing them outside of the vpn, but this extra time isn't justified by the extra
>> processing and/or hops introduced by the vpn. So i'm guessing something strange is
>> happening within the vpn.
>> When the DNS server is being queried without using the vpn connection, then both types of
>> queries/responses show similar/expected timing behavior and IPv6 preference is always
>> happening as expected.
>> Communication with the DNS server is happening solely over IPv4 and IPv6 connectivity (for
>> other destinations) is working fine.
> Just a thought, is the VPN connection actually Dual Stack? I can imagine
> strange results when the host OS has choices of various DNS servers on
> both a VPN IPv4 and a GUA IPv6.
>
> I'm having good luck so far with dual-stack on OpenVPN 2.3, it works
> better then I expected it would. I'm rolling this out pretty soon as I
> get quite a few complications now because we already have part IPv6
> deployment in the corporate network.
>
> I ran into issues when one of our users actually got native IPv6 at
> home. Because some services already resolve to a IPv6 it tried to
> connect to the corp network over the internet which was not intended and
> failed.
>
> The word is that halfway 2013 Ziggo will start deploying dhcp-pd for
> IPv6 to their residential customers, that would suddenly make this a far
> bigger issue.
>
> Another plus is that the Android client also works pretty well, which
> sells well for quite a few of our users that have tablets and phones.
>
> Regards,
> Seth
>
The vpn connection is v4 only and it's not actually used; it's the dns server that's
routed through it that causes strange delay issues with "aaaa" responses.
Since this is the corporate vpn managed by the IT guys, it's not so easy to change the vpn
sw/hw.
Regarding openvpn, i have feedback from others that most things are working fine in
dual-stack, besides an issue with assigned /64 prefixes (instead of each user getting a
/128 from the same /64, each one gets a /128 from different /64s...i don't have more
details on this).

--
Tassos




More information about the ipv6-ops mailing list