how to make resolver ask for A record before AAAA record

Skaperen · 03-01-2010, 12:16 PM

Anyone know how to configure the resolver to ask for an A record before it asks for an AAAA record? I don't want to disable IPv6. I just want to prefer IPv4 over IPv6 (because for now I do not have IPv6 connectivity to the internet and even when I do I may likely not want to use it for everything for a while, like it being a low bandwidth tunnel or something).

The resolver is version 9.6.1.dfsg.P1-3ubuntu0.3. So unless the Ubuntu maintainers broke this, it should be a resolver/BIND9 issue rather than an Ubuntu issue.

nimnull22 · 03-01-2010, 01:13 PM

Type on root console:

tcpdump -nn port 53

And check first what really is happening with your DNS requests.

Skaperen · 03-01-2010, 01:42 PM

Quote:

Originally Posted by nimnull22

Type on root console:

tcpdump -nn port 53

And check first what really is happening with your DNS requests.

Already did that. Queries are for AAAA records first. The caching server dutifully tries and gets a negative answer and returns that. Then a query is made for an A record. The answer to that is provided. But, so you can see, I captured one:

Code:

14:35:45.065118 IP 172.30.72.1.59404 > 172.30.0.4.53: 43074+ AAAA? www.ham.org. (29)
14:35:45.833519 IP 172.30.0.4.53 > 172.30.72.1.59404: 43074 0/1/0 (88)
14:35:45.833866 IP 172.30.72.1.55554 > 172.30.0.4.53: 875+ AAAA? www.ham.org.example.com. (41)
14:35:46.720186 IP 172.30.0.4.53 > 172.30.72.1.55554: 875 0/0/0 (41)
14:35:46.723638 IP 172.30.72.1.53017 > 172.30.0.4.53: 29772+ A? www.ham.org. (29)
14:35:46.724433 IP 172.30.0.4.53 > 172.30.72.1.53017: 29772 1/3/0 A 72.232.245.28 (99)

The above is an actual query with "example.com" substituted for the search domain, using the actual addresses in private IP space (172.30.72.1 is my laptop and 172.30.0.{4,5,6} being the local caching servers as given on "nameserver" lines in /etc/resolv.conf).

If the queried host does have an AAAA record, then it will get a positive response and attempt to connect to an IPv6 address which cannot be reached. The application would then have to query again and in a way to force looking for only an A record to be able to connect. Until there is a solution to this resolver misbehaviour, I will not want to put AAAA records on my server hostnames once I am connected via IPv6 to the internet, to avoid problems with users connecting to my servers.

nimnull22 · 03-01-2010, 01:59 PM

Strange on my Fedora, where I have IPv4 and IPv6 the first query goes to v4=A and then AAAA.

Can you post output for "ifconfig <interface>"

Also can you tell, what was sending these DNS requests?

bathory · 03-01-2010, 02:08 PM

The default is to try an A query before an AAAA (see resolv.conf man page)
Anyway you might use:

Code:

options single-request

in /etc/resolv.conf and see if it fixes your problem.

Regards

Skaperen · 03-01-2010, 02:43 PM

bathory...

Just tried that, but there is no change. What does that do? It's not documented in "man resolv.conf".

nimnull22...

Yes, that is my understanding of what it SHOULD do (A before AAAA) based on the man page. But maybe it got compiled to change the default to "options inet6" ... which means there needs to be a way to revert that by configuration (e.g. "options inet4" or options "inet"). IMHO, there should be several options: "4only", "4then6", "6only", "6then4" or however they might want to express it.

The query results appear to happen with every program I run, except for specific DNS tools that do their own thing instead of using the resolver. It is definitely doing it for Firefox. I have been doing the testing with "telnet www.ham.org 99" which gets me a "connection refused" once it gets the IPv4 address (there is no AAAA record for that host ... yet).

Here is output from "ifconfig etho":

Code:

altair/root /root 329# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:24:e8:e7:1e:cc  
          inet addr:172.30.72.1  Bcast:172.30.255.255  Mask:255.255.0.0
          inet6 addr: fd6e:fcbe:2304:0:224:e8ff:fee7:1ecc/64 Scope:Global
          inet6 addr: fe80::224:e8ff:fee7:1ecc/64 Scope:Link
          inet6 addr: fd00::48/64 Scope:Global
          inet6 addr: fc00::48/64 Scope:Global
          inet6 addr: fd6e:fcbe:2304::48/64 Scope:Global
          inet6 addr: fd00::4801/64 Scope:Global
          inet6 addr: fd00::148/64 Scope:Global
          inet6 addr: fc00::4801/64 Scope:Global
          inet6 addr: fc00::148/64 Scope:Global
          inet6 addr: fd6e:fcbe:2304::4801/64 Scope:Global
          inet6 addr: fd6e:fcbe:2304::148/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6106776 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2379641 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:3284626851 (3.2 GB)  TX bytes:1684845168 (1.6 GB)
          Memory:f6fe0000-f7000000 

altair/root /root 330#

Yes, there are Scope:Global IPv6 addresses configured. But that's not sufficient justification for the resolver to change the default. I'm doing lots of tests to determine IPv6 issues like this one I'm dealing with now (saw it a couple weeks ago but it only now reached the top of the issue stack).

Maybe Ubuntu maintainers for the BIND9/resolver package did something goofy? This is on Ubuntu 9.10 Karmic, and is also seen on Ubuntu 9.10 server.

nimnull22 · 03-01-2010, 02:52 PM

First of all, you have to understand that DNS QUERY can make any program. In case if you talk about Firefox, there is special option in it, to prevent use IPv6 dns.

I do not think that "nslookup www.com 208.67.222.222" will ask AAAA first. Try.

Skaperen · 03-01-2010, 03:06 PM

I tried "nslookup www.com 208.67.222.222" and as you and I both expected (for me, because it is a DNS tool) it only queried for an A record.

But "ordinary" programs seem to be using the resolver and that is querying for AAAA records first. And it clearly is the resolver doing it because I changed "/etc/resolv.conf" to literally have "search example.com" and the 2nd of the 2 AAAA queries does have "example.com" appended. So it or something clearly read the "/etc/resolv.conf" file.

Code:

altair/root /root 155# cat /etc/resolv.conf
search example.com
nameserver 172.30.0.4
nameserver 172.30.0.5
nameserver 172.30.0.6
altair/root /root 156#

Nearly next on my list of things to try is IPv6 addresses in "/etc/resolv.conf" (my DNS caching servers do also have unique local addresses configured in fc00::/7 space). But I suspect that won't help this problem.

Skaperen · 03-01-2010, 03:12 PM

Here is the significant part of the output of strace when running "telnet www.ham.org 99" with it:

Code:

16:07:13.635844 stat("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=85, ...}) = 0
16:07:13.635977 open("/etc/resolv.conf", O_RDONLY) = 3
16:07:13.636064 fstat(3, {st_mode=S_IFREG|0644, st_size=85, ...}) = 0
16:07:13.636178 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f243e39b000
16:07:13.636259 read(3, "search example.com\nnameserver 172.30.0.4\nnameserver 172.30.0.5\nnameserver 172.30.0.6\n", 4096) = 85
16:07:13.636377 read(3, "", 4096)       = 0
16:07:13.636449 close(3)                = 0
16:07:13.636519 munmap(0x7f243e39b000, 4096) = 0
16:07:13.636660 socket(PF_INET, 0x802 /* SOCK_??? */, IPPROTO_IP) = 3
16:07:13.636748 connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("172.30.0.4")}, 28) = 0
16:07:13.636879 poll([{fd=3, events=POLLOUT}], 1, 0) = 1 ([{fd=3, revents=POLLOUT}])
16:07:13.636979 sendto(3, "L\233\1\0\0\1\0\0\0\0\0\0\3www\3ham\3org\0\0\34\0\1", 29, MSG_NOSIGNAL, NULL, 0) = 29
16:07:13.637129 poll([{fd=3, events=POLLIN}], 1, 5000) = 1 ([{fd=3, revents=POLLIN}])
16:07:13.637781 ioctl(3, FIONREAD, [88]) = 0
16:07:13.637874 recvfrom(3, "L\233\201\200\0\1\0\0\0\1\0\0\3www\3ham\3org\0\0\34\0\1\300\20\0\6\0\1\0\0\0\365\0/\3ns0\4ipal\3net\0\nhostmaster\300-\22\331\r\22\0\0*0\0\0\7\10\0\r/\0\0\0T`", 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("172.30.0.4")}, [16]) = 88
16:07:13.638067 close(3)                = 0
16:07:13.638183 socket(PF_INET, 0x802 /* SOCK_??? */, IPPROTO_IP) = 3
16:07:13.638265 connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("172.30.0.4")}, 28) = 0
16:07:13.638358 poll([{fd=3, events=POLLOUT}], 1, 0) = 1 ([{fd=3, revents=POLLOUT}])
16:07:13.638445 sendto(3, "\354e\1\0\0\1\0\0\0\0\0\0\3www\3ham\3org\7example\3com\0\0\34\0\1", 41, MSG_NOSIGNAL, NULL, 0) = 41
16:07:13.638569 poll([{fd=3, events=POLLIN}], 1, 5000) = 1 ([{fd=3, revents=POLLIN}])
16:07:13.639222 ioctl(3, FIONREAD, [102]) = 0
16:07:13.639303 recvfrom(3, "\354e\201\203\0\1\0\0\0\1\0\0\3www\3ham\3org\7example\3com\0\0\34\0\1\300\30\0\6\0\1\0\0\0\365\0001\4dns1\5icann\3org\0\nhostmaster\300:w\300q8\0\0\34 \0\0\16\20\0\22"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("172.30.0.4")}, [16]) = 102
16:07:13.639479 close(3)                = 0
16:07:13.639565 stat("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=85, ...}) = 0
16:07:13.639697 socket(PF_INET, 0x802 /* SOCK_??? */, IPPROTO_IP) = 3
16:07:13.639776 connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("172.30.0.4")}, 28) = 0
16:07:13.639868 poll([{fd=3, events=POLLOUT}], 1, 0) = 1 ([{fd=3, revents=POLLOUT}])
16:07:13.639954 sendto(3, "\252\362\1\0\0\1\0\0\0\0\0\0\3www\3ham\3org\0\0\1\0\1", 29, MSG_NOSIGNAL, NULL, 0) = 29
16:07:13.640073 poll([{fd=3, events=POLLIN}], 1, 5000) = 1 ([{fd=3, revents=POLLIN}])
16:07:13.640785 ioctl(3, FIONREAD, [99]) = 0
16:07:13.640866 recvfrom(3, "\252\362\201\200\0\1\0\1\0\3\0\0\3www\3ham\3org\0\0\1\0\1\300\f\0\1\0\1\0\0$\4\0\4H\350\365\34\300\20\0\2\0\1\0\0$\4\0\6\3ns2\300\20\300\20\0\2\0\1\0\0$\4\0\6\3ns0\300\20\300\20\0\2\0\1\0\0$\4\0\6\3ns"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("172.30.0.4")}, [16]) = 99
16:07:13.641052 close(3)                = 0
16:07:13.641188 fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 6), ...}) = 0
16:07:13.641328 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f243e39b000
16:07:13.641435 write(1, "Trying 72.232.245.28...\n", 24Trying 72.232.245.28...
) = 24
16:07:13.641525 close(4294967295)       = -1 EBADF (Bad file descriptor)
16:07:13.641609 socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
16:07:13.641700 setsockopt(3, SOL_IP, IP_TOS, [16], 4) = 0
16:07:13.641798 connect(3, {sa_family=AF_INET, sin_port=htons(99), sin_addr=inet_addr("72.232.245.28")}, 16) = -1 ECONNREFUSED (Connection refused)
16:07:13.700565 dup(2)                  = 4
16:07:13.700668 fcntl(4, F_GETFL)       = 0x8002 (flags O_RDWR|O_LARGEFILE)
16:07:13.700770 fstat(4, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 6), ...}) = 0
16:07:13.700894 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f243e39a000
16:07:13.700998 lseek(4, 0, SEEK_CUR)   = -1 ESPIPE (Illegal seek)
16:07:13.701128 write(4, "telnet: Unable to connect to remote host: Connection refused\n", 61telnet: Unable to connect to remote host: Connection refused

And here is the tcpdump output for that run:

Code:

16:07:13.637058 IP 172.30.72.1.51041 > 172.30.0.4.53: 19611+ AAAA? www.ham.org. (29)
16:07:13.637687 IP 172.30.0.4.53 > 172.30.72.1.51041: 19611 0/1/0 (88)
16:07:13.638514 IP 172.30.72.1.51591 > 172.30.0.4.53: 60517+ AAAA? www.ham.org.example.com. (41)
16:07:13.639145 IP 172.30.0.4.53 > 172.30.72.1.51591: 60517 NXDomain 0/1/0 (102)
16:07:13.640018 IP 172.30.72.1.34669 > 172.30.0.4.53: 43762+ A? www.ham.org. (29)
16:07:13.640708 IP 172.30.0.4.53 > 172.30.72.1.34669: 43762 1/3/0 A 72.232.245.28 (99)

nimnull22 · 03-01-2010, 03:12 PM

Tell please, if you do "telnet www.yandex.com 80", what query will be the first A or AAAA?

Actually, please send output of "route -n"

Thanks.

P.S.

And "ifconfig lo" also.

Thanks

Skaperen · 03-01-2010, 03:21 PM

Code:

16:18:00.710527 IP 172.30.72.1.33523 > 172.30.0.4.53: 5528+ AAAA? www.yandex.com. (32)
16:18:01.235109 IP 172.30.0.4.53 > 172.30.72.1.33523: 5528 1/1/0 CNAME www.yandex.ru. (120)
16:18:01.235399 IP 172.30.72.1.38403 > 172.30.0.4.53: 16646+ A? www.yandex.com. (32)
16:18:01.379887 IP 172.30.0.4.53 > 172.30.72.1.38403: 16646 5/4/0 CNAME www.yandex.ru., A 93.158.134.3, A 213.180.204.3, A 77.88.21.3, A 87.250.251.3 (195)

It queried AAAA first. Different answer so it didn't extend it with the search domain. But it did go to A record next. It did connect.

nimnull22 · 03-01-2010, 03:23 PM

Please send output of "route -n"
And "ifconfig lo" also.

Thanks

Skaperen · 03-01-2010, 03:27 PM

I replaced the first 16 bits of our public IP address with XXX.YY since this is a public forum.

Code:

altair/root /root 340# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
XXX.YY.210.8    0.0.0.0         255.255.255.248 U     0      0        0 eth0
172.16.0.0      0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.72.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
172.30.0.0      0.0.0.0         255.255.0.0     U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth0
0.0.0.0         XXX.YY.210.9    0.0.0.0         UG    1      0        0 eth0
altair/root /root 341# ifconfig lo
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:68717 errors:0 dropped:0 overruns:0 frame:0
          TX packets:68717 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:168571509 (168.5 MB)  TX bytes:168571509 (168.5 MB)

altair/root /root 342#

nimnull22 · 03-01-2010, 03:33 PM

And last question. There is file in /etc - host.conf and nsswitch.conf. Can you post their content, please.

Thanks

Skaperen · 03-01-2010, 03:38 PM

Code:

altair/root /root 347# cat /etc/host.conf
# The "order" line is only used by old versions of the C library.
order hosts,bind
multi on
altair/root /root 348# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat
group:          compat
shadow:         compat

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
altair/root /root 349#