Forum - No v6 DNS Servers reachable? :: SixXS - IPv6 Deployment & Tunnel Broker

No v6 DNS Servers reachable?

Shadow Hawkins on Saturday, 19 July 2014 11:33:32

I tried the v6 Test on test-ipv6.com but on one point, i get a red flag:

Test if your ISP's DNS server uses IPv6 timeout (15.007s)

It seems like that i can not access any DNS Servers via v6 only. I looked up which DNS Server is used by the tool and it should be v6ns1.test-ipv6.com (2001:470:1:18::119). From my machine and my router, i can both ping6 and nmap the host and port 53 tcp. But if i do a dns request to the server (either from my laptop or directly from the router) i get the timeout:

# dig aaaa aaaa.v6ns.test-ipv6.com @2001:470:1:18::119

; <<>> DiG 9.9.5-4-Debian <<>> aaaa aaaa.v6ns.test-ipv6.com @2001:470:1:18::119
;; global options: +cmd
;; connection timed out; no servers could be reached

But i can request dns from my local router over v6. if i try dig aaaa ipv6.google.com @<routers' v6 ip> i get the correct answer. When i do the same on a server that has native v6 connection it works:

# dig aaaa aaaa.v6ns.test-ipv6.com @2001:470:1:18::119

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> aaaa aaaa.v6ns.test-ipv6.com @2001:470:1:18::119
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46109
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;aaaa.v6ns.test-ipv6.com.       IN      AAAA

;; ANSWER SECTION:
aaaa.v6ns.test-ipv6.com. 360    IN      AAAA    2001:470:1:18::119

;; AUTHORITY SECTION:
v6ns.test-ipv6.com.     360     IN      NS      v6ns1.test-ipv6.com.

;; ADDITIONAL SECTION:
v6ns1.test-ipv6.com.    360     IN      AAAA    2001:470:1:18::119

;; Query time: 158 msec
;; SERVER: 2001:470:1:18::119#53(2001:470:1:18::119)
;; WHEN: Sat Jul 19 13:27:04 2014
;; MSG SIZE  rcvd: 117

What is happening here? I have a firewall on my router to protect my v6 hosts, but it should not hinder packages from my network reach foreign servers and also should allow packages to flow back. The firewall script is mostly copied from the wiki and extended to allow my VPN too: https://gist.github.com/reox/3fa6b44bd727f8ab3524 Anyone has the same problem?

No v6 DNS Servers reachable?

Jeroen Massar SixXS Staff

on Saturday, 19 July 2014 21:44:59

i can both ping6 and nmap the host

Did you ask for permission for nmap'ing a remote host? Under some laws in some jurisdictions probing a remote system is illegal. Thus watch out.

The firewall script is mostly copied

Copying firewalls is a bad idea, they typically do not match what you require.

Anyone has the same problem?

Likely not, as they did not randomly copy some rules. First thing I would suggest is disabling that firewall and allowing all packets to pass, and then check if things work. Of course enabling logging in the firewall is a good idea too so you can see what is getting dropped. Next to of course sending rejection messages so that you see that something is being rejected by that node and not just randomly dropped.

No v6 DNS Servers reachable?

Shadow Hawkins on Sunday, 20 July 2014 17:12:10

Thank you for your answer.

Did you ask for permission for nmap'ing a remote host?

replace "nmap" by "try to open a connection to port 53 and see if something comes back". I do not see a problem here, because the service is intended to be used and it is basically the same as i would use any dns lookup tool and watch the traffic in wireshark. Correct me if i'm wrong but try to connect to a host which has a publicly announced service running on it is not illegal in my opinion nor it requires special permission to do so?

No v6 DNS Servers reachable?

Jeroen Massar SixXS Staff

on Sunday, 20 July 2014 21:11:47

Sebastian Bachmann wrote:

Thank you for your answer.

Did you ask for permission for nmap'ing a remote host?

We do not operate test-ipv6.com, you'll have to ask them and check your local laws what is and what is not allowed.

Please note Posting is only allowed when you are logged in.