bas@workstation:~$ ping6 google.com
PING google.com(ams17s08-in-x0e.1e100.net (2a00:1450:400e:80e::200e)) 56 data bytes
64 bytes from ams17s08-in-x0e.1e100.net (2a00:1450:400e:80e::200e): icmp_seq=1 ttl=59 time=20.0 ms
64 bytes from ams17s08-in-x0e.1e100.net (2a00:1450:400e:80e::200e): icmp_seq=2 ttl=59 time=18.5 ms
Such mistakes from the router do not help in switching to IPv6.
Don’t get me wrong, I do like IPv6 now, but it’s far from perfectly implemented in routers.
It does hand out IPv6 adresses but doesn’t resolve one bit.
Dig has the same result, no answer.
I have reported the problem to AVM, let’s hope they fix it soon.
Thank for your help Marco, it really get’s me going on resolving the ‘minor’ problems.
Looks to me they disabled the DNS-proxy for ipv6 answers, they should not do that.
DHCP6 keeps working als well as the firewall, but the DNS stops for IPv6.
However it does listen to IPv6, that makes it even more strange.
I did not mean the content of the file /etc/hosts, I meant the commandhost (probably /usr/bin/host or /bin/host, it queries external DNS). May be your system does not have that command?
Good news: I am able to reproduce this at the moment on my own FRITZ!Box (well, at least for resolving hosts within my own network, not any others - it was a bit of a lucky shot in that sense, because I missed it earlier).
It seems to be caused by the ‘DNS rebinding protection’ of the FRITZ!Box.
@Bas could you try to add the servers in your network to the ‘DNS rebinding protection’-field in your FRITZ!Box and try again?
Marco, mine is set to IPv4 native and IPv6 enabled.
I could set IPv6 native but then other issues happen.
I followed EDPnet instrucktions and IPv6 is enabled on my conmection.
Even if I rebind ntp.heppen.be, it just anwers with 4 times IPv4 and that’s it.
However that could be something most DNS’ses do by default, just showing 4 IP’s.
To add something…the Fritz DNS really has a problem.
Normal command:
host ntp.heppen.be
ntp.heppen.be has address 82.168.89.20
ntp.heppen.be has address 89.207.129.63
ntp.heppen.be has address 5.196.189.119
ntp.heppen.be has address 77.109.90.72
Explicit asking IPv6:
host -6 ntp.heppen.be
;; connection timed out; no servers could be reached
Asking 1.1.1.1, no matter how, it responds.
host -6 ntp.heppen.be 1.1.1.1
Using domain server:
Name: 1.1.1.1
Address: ::ffff:1.1.1.1#53
Aliases:
ntp.heppen.be has address 89.207.129.63
ntp.heppen.be has address 5.196.189.119
ntp.heppen.be has address 77.109.90.72
ntp.heppen.be has address 82.168.89.20
ntp.heppen.be has IPv6 address 2a00:7b80:477:21::9dcb:d174
ntp.heppen.be has IPv6 address 2a02:578:440e:0:aaa1:59ff:fe3d:5b53
ntp.heppen.be has IPv6 address 2001:41d0:a:4558::9752:705b
If I use no flag, or -4 flag, result is always the same. The Fritz does not give IPv6 when asking for it.
Except my rebind.
See the proof notmally asked:
host ntp5.heppen.be
ntp5.heppen.be has address 5.135.125.103
ntp5.heppen.be has IPv6 address 2001:41d0:203:654d::8f37:5630
Asked in IPv6 mode to my outside NTP, it doesn’t respond:
host -6 ntp5.heppen.be
;; connection timed out; no servers could be reached
It simply refuses to answer me when I use IPv6 to talk to the Fritz-DNS.
Glad this is now solved. And glad it was not an IPv6-issue.
It turned out to be a safety measure that Fritz!box incorporates in their firmware to prevent DNS rebinding attacks (which normally is a good thing to have). Your hosts where always resolvable for everyone, except for you on the inside of your home network. And you could probably resolve all AAAA-records of other hosts, besides that ntp1.heppen.be and other systems within your homenet. One could say it worked as designed.
It’s good to be aware of this feature, especially in the case where the IPv4 address of the server is a global IP-address outside your internal network and the IPv6 is a global IP-address inside your network. That can make things a bit confusing. If the IPv4 address of ntp1.heppen.be had been an RFC1918 address from the subnet you use at home, you would not have been able to resolve the A-record either from within your network.
Hope this makes any sense. It’s a bit hard to explain in a few words.
PS: You need to add all internal hosts, if you want to be able to resolve them from within your network. But only after a risk assessment, to determine whether or not you need the DNS rebinding protection, or can live without.
Things I changed in the Fritzbox (translated from dutch):
1: Internet → Providerdata → IPv6 enabled + Native IPv6 usage + Learn global adres from prefix + DHCPv6 Rapid commit.
2: DNS-server → 4+6 use ISP + and added DNS domainnames like one.one.one.one dns.google.com etc.
3: Homenetwork → Network-settings → IPv6 settings: RFC5006 + Ony use DNS from Fritzbox
4: In Linux: resolvectl reset-server-features and resolvectl flush-caches
And voila it started working and resolving as I expected it to work.
But as said before, if you set Native IPv4 it will not resolve for IPv6 and only shows 4 entries, in native IPv6 it DOES resolve. But I needed to flush the cache of Mint/DHCP to make it work, it didn’t notice the new settings before.
And so you fight a router that has poor setting-descriptions and the help of the box doesn’t help either.
I tested my local servers and they behave as should as well.
Thanks guys for all your help as you put me on the right track on IPv6.
If uncle AVM-Fritzbox would have explained it better and had better translations, it would make it much easier to use IPv6.
Who would have though of that, me saying IPv6 is easy
Fritz!Box has attempted to be a product that can be used in all kinds of various environments. As such it has a rich feature set and many options to choose from.
That, plus the fact that everything has to work for both IPv4 and IPv6, makes it a bit of a challenge, sometimes. It would really be better if, some day, we can finally phase out IPv4
Believe it or not, the Fritzbox started to fight with me again and closed the ports.
The DNS is working, but Firewall was closed.
So I set it to Native IPv4 again under the IPv6 enable part, guess what, it started working another time.
I can not believe how poor their IPv6 support is.
I just wanted to use local-IPv6 adresses as well, it started creating new public-IP’s and local IP’s and closed the firewall for the static-IP I gave.
It seems that if you have firewall-problems, just switch from IPv4-native and IPv6-native (all under IPv6 tab) and it seems to rewrite the IPv6 firewall rules.
I can not get a grasp on this behaviour and the problem is that Belgium has a Modem-driver lock, so you can only use certified-boxes, firmware and DSL-pump.
It says: “The difference is that if ‘Use native IPv4 connection’ (recommended) is chosen and native IPv6 fails, a tunnel protocol over IPv4 (6to4) will be established.”
That sounds useful for an average user, but perhaps not in your case. Switching to 6RD will most likely lead to a different IPv6 address(range), which is what you are trying to prevent when offering a public service from your connection.
So, just stick to the ‘Always use a native IPv6 connection’ and try to understand what goes wrong. A Fritz!Box not normally all of a sudden breaks its firewall.
There is probably some simple explanation for it.
I think that the Fritz!Box ‘permit access’ setting work best with the automatically assigned addresses that the modem shows (like you do, if I see correctly). Than it is just a matter of clicking for some rules. Assigning something nice to your server, like 2001:db8:0:beef::123/64 might look cool, but appears somewhat more prone to misalignments between rules and actual address, if I remember correctly.
IPv6 tends to be unstinted with addresses. You often get a new one, especially under certain circumstances (like when privacy extensions are enabled, or when the router is rebooted). A good understanding of how that works might also help to avoid it.
