1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to force to use IPv4 instead of IPv6 for certain domains?

Discussion in 'Tomato Firmware' started by ierwin, Aug 7, 2014.

  1. ierwin

    ierwin Serious Server Member

    Hello everyone.
    I am from China, I am using shibby's tomato, using HE.net's IPv6 tunnel. HE has no IPv6 tunnel in my country so I have to choose a tunnel server in US.

    My problem is:
    A website example.com, it's server is located in China, it have both IPv4 and IPv6 services, so example.com has both A and AAAA record.
    Windows and other OS prefer IPv6 first, so it cause high ping (packets go to US and back to China again).
    I know I can use "address=/example.com/1.1.1.1" in dnsmasq's custom configuration, but it's unwise because example.com has lots of sub-domains.
    So I wonder is there any way that dnsmasq will only return A record for "example.com" and it's sub-domains?
    Or is there any DNS server that only returns A record? If so, I can use "server=/example.com/<dns-server>" to solve this problem.
     
  2. ierwin

    ierwin Serious Server Member

    Consider this situation, I have to wait long time before IPv6 time out and browser try to connect using IPv4.
    So if there's a way to force dnsmasq to return A record for "qq.com" and all it's sub-domain, it will be great.
     
  3. koitsu

    koitsu Network Guru Member

    There's really no effective way to solve this problem using DNS trickery in dnsmasq given the situation.

    The only solution as I see it is to either a) disable the IPv6 stack in Windows entirely, or b) adjust the routing policy in Windows to prefer IPv4 over IPv6 (there are two solutions listed at that link, read slowly/carefully). Yes, these impact everything as a whole, but there is nothing you can do about the situation.
     
  4. ierwin

    ierwin Serious Server Member

    Do you know any DNS server which may only return A record?
    IPv6 is VERY important for me. You may know there's Internet censorship in mainland China. (see https://en.wikipedia.org/wiki/Golden_Shield_Project)
    At the present, 6in4 tunnel is not affected by our government, and it makes me much easier to access Google/YouTube/Facebook. Of course, I can still have other ways to access Google w/o IPv6 but it may be painful.
     
    Last edited: Aug 8, 2014
  5. koitsu

    koitsu Network Guru Member

    The issue is not about DNS servers which return only A records -- the issue is whether or not the authoritative nameserver for a domain publishes AAAA (IPv6) records. qq.com chooses to publish IPv6 records -- that has nothing to with what DNS server you're using.

    Secondly, there are a limited number of public ("free") recursive DNS resolvers which you could use, such as Google's 8.8.8.8 or Verizon's 4.2.2.1 and 4.2.2.2, not to mention OpenDNS, however as I said they're all recursive, meaning if qq.com publishes AAAA records then Google/Verizon/OpenDNS will simply return those. "Free" recursive resolvers are often open to DNS amplification attacks (essentially using them as a DDoS redirector), which is why there are not many of them.

    You need to understand: the client doing the DNS lookup is the one asking for AAAA records. That client is you. So either you stop your client from doing IPv6 lookups (and there is no way I know of to say "don't do AAAA lookups for a certain domain and/or wildcard matching on that domain name, ex. *.qq.com) by turning off the IPv6 portion of the stack on the client.

    You could try to hack together a bunch of fake DNS records (meaning return only A records, no AAAA records) for qq.com and *.qq.com, but this won't work as you already pointed out in your initial post: you'd need to know all the subdomains of qq.com to match against, and there's no way to get that (they do not allow zone AXFR publicly (good for them, that's a security problem if they allowed it)), and dnsmasq AFAIK does not support any kind of wildcarding (ex. *.qq.com). Furthermore, let's say you were able to do this with dnsmasq. What would you put in for the A records? Whatever you looked up at the time you were doing this? Okay, and what if qq.com changed some of their A records (this is incredibly common, ESPECIALLY with cloud-based services)? How would you know? You wouldn't -- instead things would just suddenly start breaking/timing out for you.

    So like I said, the only for-sure way to do this is to disable IPv6 in the client stack, or prefer IPv4 over IPv6 in the client stack. You can't have your cake and eat it too in this case.

    I'm adding this thread to my never-ending list of reasons of "IPv6 transitioning sucks, don't bother using it until the entire world actually treats it like production in the same way they do IPv4. Use IPv4 and don't worry about any of this nonsense."
     
  6. ierwin

    ierwin Serious Server Member

    Thanks for your reply.
    But for me now, I still prefer to use IPv6. I find that Firefox can config to prefer IPv4 on certain domains (about:config - network.dns.ipv4OnlyDomains), or just ask Firefox prefer IPv4 first(network.http.fast-fallback-to-IPv4). I can say this is a temporary solution for me.
     
  7. ryzhov_al

    ryzhov_al Networkin' Nut Member

    There is the way to set IPv4\IPv6 precedence in wl500g or Padavan's projects. Not sure this patch was taken (or not) to Tomato.
     
  8. koitsu

    koitsu Network Guru Member

    I'm having trouble understanding this patch a little bit (and I have no familiarity with gai.conf, which is probably why I'm confused). Does that patch just make DNS lookups use IPv4 protocol (e.g. initiate connections to a DNS server using IPv4), or does it actually affect DNS query results?

    If "yes, the former" -- I don't think that'd help the OP. I'll give an example: my BSD boxes are all built with IPv6 disabled (in kernel, userland, and all other binaries). There's absolutely no IPv6 support anywhere, so there's no way for something like BIND (named) to talk to an IPv6 host -- it can only speak IPv4. However, I can still look up IPv6 (AAAA) DNS records anyway (which obviously is expected/should work):

    Code:
    freebsd$ dig @127.0.0.1 aaaa google.com. +short
    2607:f8b0:4005:800::1007
    
    In the OP's case, he's essentially trying to limit resolver lookups to just A (IPv4) records for certain domains and subdomains. So it seems to me like two patches would be needed for dnsmasq (and not necessarily uClibc): 1) allow some kind of wildcarding in address= lines, and 2) ignore IPv6 (AAAA) records and only return A records (and if there are none, just NXDOMAIN).

    If "yes, the latter" then yeah that might work, if dnsmasq uses getaddrinfo(3). :)
     
  9. ryzhov_al

    ryzhov_al Networkin' Nut Member

    A little history of patch is here. As I said, it just helps to set IPv4/IPv6 precedence on router itself.
     
  10. leandroong

    leandroong Addicted to LI Member

    Thanks, works on my RT-N56U padavan fw
    where gai.conf contents as follow:
    precedence ipv4

    W/out gai.conf
    Code:
    /opt/home/admin # nslookup wl500g-repo.googlecode.com
    Server:    127.0.0.1
    Address 1: 127.0.0.1 localhost.localdomain
    
    Name:      wl500g-repo.googlecode.com
    Address 1: 2404:6800:4008:c00::52 tb-in-x52.1e100.net
    Address 2: 173.194.72.82 tf-in-f82.1e100.net
    /opt/home/admin # cd /opt/tmp
    /opt/tmp # wget http://wl500g-repo.googlecode.com/svn/ipkg/openwrt/Packages
    --2014-08-11 17:46:29--  http://wl500g-repo.googlecode.com/svn/ipkg/openwrt/Packages
    Resolving wl500g-repo.googlecode.com... 2404:6800:4008:c02::52, 173.194.72.82
    Connecting to wl500g-repo.googlecode.com|2404:6800:4008:c02::52|:80... failed: Network is unreachable.
    Connecting to wl500g-repo.googlecode.com|173.194.72.82|:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 3292 (3.2K) [text/plain]
    Saving to: 'Packages'
    
    100%[======================================>] 3,292       --.-K/s   in 0s
    
    2014-08-11 17:46:30 (20.2 MB/s) - 'Packages' saved [3292/3292]
    
    
    on win7
    Code:
    C:\Users\lean>nslookup www.qq.com
    Server:  RT-N56U.RT-N56U
    Address:  10.0.1.1
    
    DNS request timed out.
        timeout was 2 seconds.
    Non-authoritative answer:
    DNS request timed out.
        timeout was 2 seconds.
    Name:    www.qq.com
    Addresses:  202.55.10.190
              202.55.10.189
    
    
    C:\Users\lean>
     
    Last edited: Aug 11, 2014
  11. i1135t

    i1135t Network Guru Member

    This is a nice feature. I use to enable IPv6 through HE but dns lookup were slower with it enabled forcing me to disable it (not sure why being HE was for IPv6 lookups only). This looks like it may solve this problem which allows IPv4 as the preferred precedent?.. If so could it be incorporated into some of the other mods as well?
     
    Last edited: Aug 12, 2014
  12. ierwin

    ierwin Serious Server Member

    Can you try it on www.google.com?
    As far as I know, some DNS server return only A record for "www.qq.com", such as HE's DNS server:
    Code:
    C:\Users\阮兆辉>nslookup www.qq.com
    Server:  unknown
    Address:  2001:470:b:225::1
    
    Non-authoritative answer:
    Name:  www.qq.com
    Addresses:  240e:ff:f040:28::a
      14.17.32.211
      183.60.15.153
    
    
    C:\Users\阮兆辉>nslookup www.qq.com 2001:470:20::2
    Server:  ordns.he.net
    Address:  2001:470:20::2
    
    Non-authoritative answer:
    Name:  a1574.b.akamai.net
    Addresses:  173.223.232.82
      173.223.232.35
    Aliases:  www.qq.com
    [CODE]
     
  13. ryzhov_al

    ryzhov_al Networkin' Nut Member

    On RT-N14U with Padavan's firmware:
    Code:
    /opt/home/admin # nslookup www.google.com
    Server:  127.0.0.1
    Address 1: 127.0.0.1 localhost.localdomain
    
    Name:  www.google.com
    Address 1: 2a00:1450:4010:c04::6a lb-in-x6a.1e100.net
    Address 2: 173.194.71.105 lb-in-f105.1e100.net
    Address 3: 173.194.71.106 lb-in-f106.1e100.net
    Address 4: 173.194.71.147 lb-in-f147.1e100.net
    Address 5: 173.194.71.99 lb-in-f99.1e100.net
    Address 6: 173.194.71.103 lb-in-f103.1e100.net
    Address 7: 173.194.71.104 lb-in-f104.1e100.net
    /opt/home/admin # echo "precedence ipv4" > /etc/gai.conf
    /opt/home/admin # nslookup www.google.com
    Server:  127.0.0.1
    Address 1: 127.0.0.1 localhost.localdomain
    
    Name:  www.google.com
    Address 1: 173.194.71.104 lb-in-f104.1e100.net
    Address 2: 173.194.71.103 lb-in-f103.1e100.net
    Address 3: 173.194.71.99 lb-in-f99.1e100.net
    Address 4: 173.194.71.147 lb-in-f147.1e100.net
    Address 5: 173.194.71.106 lb-in-f106.1e100.net
    Address 6: 173.194.71.105 lb-in-f105.1e100.net
    Address 7: 2a00:1450:4010:c02::6a
    As you can see, no dnsmasq settings was changed. It's a system wide settings for uClibc resolving syscall.
     
  14. leandroong

    leandroong Addicted to LI Member

    /opt/home/admin # nslookup www.google.com
    Server: 127.0.0.1
    Address 1: 127.0.0.1 localhost.localdomain

    Name: www.google.com
    Address 1: 173.194.127.145 hkg03s13-in-f17.1e100.net
    Address 2: 173.194.127.144 hkg03s13-in-f16.1e100.net
    Address 3: 173.194.127.146 hkg03s13-in-f18.1e100.net
    Address 4: 173.194.127.148 hkg03s13-in-f20.1e100.net
    Address 5: 173.194.127.147 hkg03s13-in-f19.1e100.net
    Address 6: 2404:6800:4005:804::1011 hkg03s13-in-x11.1e100.net
    /opt/home/admin #
     
  15. ierwin

    ierwin Serious Server Member

    There's still AAAA record and I think most OS will still try Google via IPv6...
     
  16. ryzhov_al

    ryzhov_al Networkin' Nut Member

    No, if you'll fix it on client side. As I see, you are on Windows, take a look at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters\DisabledComponents. You may set IPV4 precedence by setting this key to 0x20.
     
    Last edited: Aug 18, 2014
  17. leandroong

    leandroong Addicted to LI Member

    On win7, I checked registry, no "DisabledComponents". Maybe he needs to add that.
     
  18. koitsu

    koitsu Network Guru Member

    The registry entry might not exist by default, according to Microsoft's own documentation.

     
  19. leandroong

    leandroong Addicted to LI Member

    @koitsu, microsoft registry patch worked but result is ipv6 is still prioritize if im not mistaken
    Code:
    C:\Users\lean>nslookup www.google.co
    Server:  RT-N56U.RT-N56U
    Address:  10.0.1.1
    
    Non-authoritative answer:
    Name:    www.google.com
    Addresses:  2404:6800:4008:c04::69
              122.2.152.227
              122.2.152.216
              122.2.152.236
              122.2.152.231
              122.2.152.221
              122.2.152.217
              122.2.152.247
              122.2.152.237
              122.2.152.212
              122.2.152.226
              122.2.152.246
              122.2.152.222
              122.2.152.251
              122.2.152.241
              122.2.152.232
              122.2.152.242
    C:\Users\lean>
    note: DisabledComponents value is 32 or x20
     
  20. koitsu

    koitsu Network Guru Member

    Well I can't explain what all that setting actually changes (I run XP and don't bother with IPv6, despite my past involvements with it on Tomato), but my impression is that all that registry setting does is prefer IPv4 socket connections over IPv6 socket connections. I don't think it inhibits DNS AAAA records.

    What I see in your nslookup results are 1) the client was speaking IPv4 to the DNS server 10.0.1.1, and 2) both A (IPv4) and AAAA (IPv6) records were returned for a lookup of www.google.com. I'd be willing to bet you that Microsoft's nslookup.exe client looks up AAAA and A records both when not explicitly specifying a query type (ex. -q=a).

    I get the same behaviour when using dig any www.google.com. (query type = any) even on a FreeBSD box with IPv4-only -- again, IPv6 is not part of the kernel or userland, but that's for protocol and has nothing to do with A vs. AAAA DNS lookups:

    Code:
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;www.google.com.                        IN      ANY
    
    ;; ANSWER SECTION:
    www.google.com.         300     IN      AAAA    2607:f8b0:4005:802::1013
    www.google.com.         300     IN      A       74.125.239.148
    www.google.com.         300     IN      A       74.125.239.145
    www.google.com.         300     IN      A       74.125.239.144
    www.google.com.         300     IN      A       74.125.239.146
    www.google.com.         300     IN      A       74.125.239.147
    
    Now of course if I did dig a www.google.com. I'd never get back an AAAA result. Case in point:

    Code:
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;www.google.com.                        IN      A
    
    ;; ANSWER SECTION:
    www.google.com.         177     IN      A       74.125.239.148
    www.google.com.         177     IN      A       74.125.239.146
    www.google.com.         177     IN      A       74.125.239.147
    www.google.com.         177     IN      A       74.125.239.144
    www.google.com.         177     IN      A       74.125.239.145
    
    And same if I did dig aaaa www.google.com. --

    Code:
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;www.google.com.                        IN      AAAA
    
    ;; ANSWER SECTION:
    www.google.com.         300     IN      AAAA    2607:f8b0:4005:802::1010
    
     
  21. djgend

    djgend New Member Member

    Use a statefull ipv6 address as your ra dns server, request time out hence client is ask for your router name, but router is forward request to the upstream ipv6 dns (he state-less address pass dns info include in the address) directly, if you correctly set up a local dns server, and tunning a bit, i think it will reduce time out, at least it happens less often :)

    you can indentify a ipv6 local-subnet in the dnsmasq, let it dont forward local request to upstream public dns server.
     
    Last edited: Oct 25, 2015

Share This Page