Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cloudflare-ipv6 resolvers list has both regular and dns64 resolvers #953

Open
Isonami opened this issue Sep 14, 2024 · 6 comments
Open

cloudflare-ipv6 resolvers list has both regular and dns64 resolvers #953

Isonami opened this issue Sep 14, 2024 · 6 comments

Comments

@Isonami
Copy link

Isonami commented Sep 14, 2024
edited
Loading

Example ips from the list:

2606:4700:4700::1111
2606:4700:4700::64

Is it expected behavior? They have different resolve results for A queries.

Cloudflare link about theirs dns64 resolvers https://developers.cloudflare.com/1.1.1.1/infrastructure/ipv6-networks/
@jedisct1
Copy link
Member

/cc @demarcush

@demarcush
Copy link
Contributor

DNS64:

% dnslookup www.youtube.com "https://[2606:4700:4700::6400]/dns-query"
dnslookup master
Server: https://[2606:4700:4700::64]/dns-query

dnslookup result (elapsed 672.885567ms):
;; opcode: QUERY, status: NOERROR, id: 36506
;; flags: qr rd ra; QUERY: 1, ANSWER: 17, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.youtube.com.       IN       A

;; ANSWER SECTION:
www.youtube.com.        214     IN      CNAME   youtube-ui.l.google.com.
youtube-ui.l.google.com.        214     IN      A       216.58.212.174
youtube-ui.l.google.com.        214     IN      A       142.250.186.110
youtube-ui.l.google.com.        214     IN      A       142.250.185.174
youtube-ui.l.google.com.        214     IN      A       172.217.16.206
youtube-ui.l.google.com.        214     IN      A       172.217.18.14
youtube-ui.l.google.com.        214     IN      A       142.250.185.78
youtube-ui.l.google.com.        214     IN      A       142.250.184.238
youtube-ui.l.google.com.        214     IN      A       142.250.186.46
youtube-ui.l.google.com.        214     IN      A       172.217.23.110
youtube-ui.l.google.com.        214     IN      A       142.250.185.206
youtube-ui.l.google.com.        214     IN      A       142.250.185.110
youtube-ui.l.google.com.        214     IN      A       142.250.185.142
youtube-ui.l.google.com.        214     IN      A       142.250.186.142
youtube-ui.l.google.com.        214     IN      A       142.250.185.238
youtube-ui.l.google.com.        214     IN      A       216.58.206.46
youtube-ui.l.google.com.        214     IN      A       216.58.206.78

Regular:

% dnslookup www.youtube.com "https://[2606:4700:4700::1111]/dns-query"
dnslookup master
Server: https://[2606:4700:4700::1111]/dns-query

dnslookup result (elapsed 887.474621ms):
;; opcode: QUERY, status: NOERROR, id: 13352
;; flags: qr rd ra; QUERY: 1, ANSWER: 17, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.youtube.com.       IN       A

;; ANSWER SECTION:
www.youtube.com.        152     IN      CNAME   youtube-ui.l.google.com.
youtube-ui.l.google.com.        152     IN      A       142.250.185.206
youtube-ui.l.google.com.        152     IN      A       172.217.16.206
youtube-ui.l.google.com.        152     IN      A       172.217.23.110
youtube-ui.l.google.com.        152     IN      A       142.250.186.142
youtube-ui.l.google.com.        152     IN      A       142.250.185.142
youtube-ui.l.google.com.        152     IN      A       142.250.186.46
youtube-ui.l.google.com.        152     IN      A       142.250.186.110
youtube-ui.l.google.com.        152     IN      A       216.58.212.174
youtube-ui.l.google.com.        152     IN      A       216.58.206.78
youtube-ui.l.google.com.        152     IN      A       216.58.206.46
youtube-ui.l.google.com.        152     IN      A       142.250.185.174
youtube-ui.l.google.com.        152     IN      A       172.217.18.14
youtube-ui.l.google.com.        152     IN      A       142.250.185.110
youtube-ui.l.google.com.        152     IN      A       142.250.185.78
youtube-ui.l.google.com.        152     IN      A       142.250.185.238
youtube-ui.l.google.com.        152     IN      A       142.250.184.238

Only difference is when you query a domain for AAAA which doesn't have AAAA entries:

% RRTYPE=AAAA dnslookup ipv4.google.com "https://[2606:4700:4700::64]/dns-query"
dnslookup master
Server: https://[2606:4700:4700::64]/dns-query

dnslookup result (elapsed 808.855929ms):
;; opcode: QUERY, status: NOERROR, id: 11053
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ipv4.google.com.       IN       AAAA

;; ANSWER SECTION:
ipv4.google.com.        60      IN      CNAME   ipv4.l.google.com.
ipv4.l.google.com.      60      IN      **AAAA    64:ff9b::acd9:10ce**

In this case instead of returning an empty response, it returns the dns64 version.

@demarcush
Copy link
Contributor

One can try and make distinct entries for dns64 resolvers (although a redundant pursuit).

@Isonami
Copy link
Author

Isonami commented Sep 15, 2024
edited
Loading

I'm sorry, had bad explanation.

Main problem that if system has both ipv4 and ipv6 it usually tries to resolve both A and AAAA records and may priorities AAAA answer. And then it depends on software will it fallback to A record or not. That might brake something.

Example:

> resolvectl status
Link 2 (enp34s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
       DNS Servers: 2606:4700:4700::6400

Curl fallback to ipv4

> curl -vvv ipv4.l.google.com
* Host ipv4.l.google.com:80 was resolved.
* IPv6: 64:ff9b::8efb:240e
* IPv4: 172.217.168.206
*   Trying [64:ff9b::8efb:240e]:80...
*   Trying 172.217.168.206:80...
* Connected to ipv4.l.google.com (172.217.168.206) port 80

But ping will fail

> ping ipv4.l.google.com
PING ipv4.l.google.com (64:ff9b::8efb:240e) 56 data bytes
^C
--- ipv4.l.google.com ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3049ms

I've personally observe problem with openvpn, it always tries to connect to dns64 address first.

@demarcush
Copy link
Contributor

Ok, since fixing the problem from upstream of all those projects will make all our lives miserable, I propose we remove them for now and maybe add a toggle-option to sdns:// specification for resolvers with dns64 capabilities.

@demarcush
Copy link
Contributor

I'll try to make a PR, no promises.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jedisct1 @Isonami @demarcush