ipv6 problems on windows 7 about netflix-no-ipv6-dns-proxy HOT 11 OPEN

Can you get a pcap (Wireshark) dump of the DNS traffic between the DNS server and your Windows 7 device, and perhaps one other device that does work? I've not been able to duplicate the problem on my machines.

from netflix-no-ipv6-dns-proxy.

I did a capture using wireshark when using the proxy and when not, and noticed that when using the proxy, and going to loopsofzen.co.uk, a DNS query is made to get an A record, but no query for the AAAA record. When not using the proxy, a DNS query is made for the A record and AAAA record

I have tried just running simple_server.py from https://twistedmatrix.com/documents/15.0.0/names/howto/custom-server.html and noticed that when querying this, and querying a dnsmasq server, the rd flag is dropped from the response from the response from simple_server.py

$ dig loopsofzen.co.uk A @192.168.1.2 -p 10053

; <<>> DiG 9.10.3-P4 <<>> loopsofzen.co.uk A @192.168.1.2 -p 10053
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39725
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;loopsofzen.co.uk.              IN      A

;; AUTHORITY SECTION:
loopsofzen.co.uk.       599     IN      SOA     primary-dns.co.uk. hostmaster.loopsofzen.co.uk. 2015072900 10800 3600 1209600 600

;; Query time: 38 msec
;; SERVER: 192.168.1.2#10053(192.168.1.2)
;; WHEN: Thu Jun 09 11:09:38 BST 2016
;; MSG SIZE  rcvd: 93

$ dig loopsofzen.co.uk A @192.168.1.2 -p 53

; <<>> DiG 9.10.3-P4 <<>> loopsofzen.co.uk A @192.168.1.2 -p 53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3020
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;loopsofzen.co.uk.              IN      A

;; AUTHORITY SECTION:
loopsofzen.co.uk.       599     IN      SOA     primary-dns.co.uk. hostmaster.loopsofzen.co.uk. 2015072900 10800 3600 1209600 600

;; Query time: 50 msec
;; SERVER: 192.168.1.2#53(192.168.1.2)
;; WHEN: Thu Jun 09 11:09:42 BST 2016
;; MSG SIZE  rcvd: 104

from netflix-no-ipv6-dns-proxy.

when using the proxy, and going to loopsofzen.co.uk, a DNS query is made to get an A record, but no query for the AAAA record. When not using the proxy, a DNS query is made for the A record and AAAA record

This is particularly unusual. This seems like the OS doesn't think that it has a global IPv6 address so isn't even trying, but the fact that it does query AAAA records only when not using the proxy hints that something else is the matter.

I'm not totally convinced that the rd flag business is relevant, because it's a flag that the client uses to instruct the server to do a recursive lookup. I'd expect clients should ignore this flag in responses since it's not relevant to them. (They'd probably be looking for the ra flag, but not rd.)

If Windows 7 is altering behavior based on the presence of this flag in the response, that sounds like a Windows 7 bug -- not that I'm opposed to a compatibility fix. I will need to set up a Windows 7 VM and see if I can reproduce the issue.

from netflix-no-ipv6-dns-proxy.

One other thing I have noticed is that my clients all have 2 DNS servers - one IPv4 address supplied by IPv4 DHCP and one IPv6 address supplied by IPv6 DHCP/SLAAC , and some clients are using both of them - which might explain #2 as well.

I have made some changes to server.py at https://github.com/antxxxx/netflix-no-ipv6-dns-proxy/tree/multiple_interface to allow it to listen on IPv4 and IPv6 which I will try and see if it fixes anything

from netflix-no-ipv6-dns-proxy.

allow it to listen on IPv4 and IPv6

If you bind to the IPv6 wildcard address :: and have your system setting net.ipv6.bindv6only set to 0, then it will respond on IPv4 as well, without any code changes needed. (This is what I'm doing.)

from netflix-no-ipv6-dns-proxy.

net.ipv6.bindv6only is a linux thing. I am running my dns server and this proxy on FreeBSD :)

from netflix-no-ipv6-dns-proxy.

According to Google, FreeBSD has a similar sysctl net.inet6.ip6.bindv6only that might do what you want without needing to add complexity to the proxy code.

from netflix-no-ipv6-dns-proxy.

Thanks I did not know about that. Its actually net.inet6.ip6.v6only in FreeBSD10.3 and that does the trick

from netflix-no-ipv6-dns-proxy.

I have found the problem and solution to this

In windows, there is a prefix policy table that determines which IP addresses are preferred. You can see this by using the netsh command

C:\Users\anthony>netsh interface ipv6 show prefixpolicies
Querying active state...

Precedence  Label  Prefix
----------  -----  --------------------------------
        50      0  ::1/128
        40      1  ::/0
        35      4  ::ffff:0:0/96
        30      2  2002::/16
         5      5  2001::/32
         3     13  fc00::/7
         1     11  fec0::/10
         1     12  3ffe::/16
         1      3  ::/96

With this setup, the IPv4 addresses (::ffff:0:0/96) is preferred over IPv6 addresses starting 2001 (like mine and loopsofzen.co.uk)

To fix it, I just lowered the precedence of the IPv6 range using this from an administrator command prompt
netsh interface ipv6 set prefixpolicy prefix=::ffff:0:0/96 precedence=2 label=4

from netflix-no-ipv6-dns-proxy.

Interesting find. I'm still curious why just putting the proxy in the way causes this behavior change, though.

from netflix-no-ipv6-dns-proxy.

Actually this did not solve the problem.
However, I have managed to solve it by doing this.
I am using dnsmasq for DNS/DHCP, so I added this to my dnsmasq.conf and ran dnsmasq listening on port 53 and set up DHCP/RA to point to this DNS server

server=/netflix.com/127.0.0.1#1053
server=/nflximg.com/127.0.0.1#1053

I then ran this proxy listening on 127.0.0.1 port 1053 pointing to an upstream DNS server

With this setup, most DNS queries are handled by dnsmasq, but netflix.com and netfliximg.com are sent to this proxy where AAAA records are not returned

from netflix-no-ipv6-dns-proxy.