[Dnsmasq-discuss] Bug while using address=//::

Petr Menšík pemensik at redhat.com
Wed Sep 29 19:38:26 UTC 2021

Hi Dominik,

On 9/29/21 19:30, Dominik Derigs wrote:
> Hey Petr,
> On Wed, 2021-09-29 at 17:49 +0200, Petr Menšík wrote:
>> May I ask for your reason, why are you trying to explicitly block IPv6 in
>> year 2021?
> I asked the very same question when we received the reports about this bug
> with the different allocated memory sized that was fixed two weeks ago. The
> answer I received from independent parties was always the same. In short:
> 1. No native IPv6 connectivity
> 2. Using some sort of VPN tunnel to get IPv6
> 3. Several services favor IPv6

Sure, this exactly is also my situation. We have some internal IPv6
connectivity at offices, but without global internet access. I do not
have native IPv6 even at home. But if I miss IPv6 route forward, I do
not care if applications try get IPv6 addresses. If default route is
missing, any attempt of connection fails immediately. I don't know about
application which cannot handle such situation. Okay, some applications
may use -4 parameter to skip logging failed attempts, but they should work.

If I have some IPv6 connectivity but want to skip it for some services,
I would understand that. Some subset only makes sense, like only for
netflix domains or spotify domains. Slightly better than blocking their
IPv6 ranges on firewall.

> These services (I saw Netflix, Spotify and other bigger names) mentioned
> that refuse to work because they think you want to cheat on their geo-
> fencing with your VPN. When they use Netflix over their native IPv4,
> everything works.

Ok, tunnels make geolocation hard. If they do not want to serve the
content to uncertain countries, sure, there may be no better way than to
disable AAAA queries for those services. Especially if their servers
accept a connection from those address and respond REFUSED kind of
error. Is there scenario, where IPv6 communication over IP addresses
should work but any names should not resolve? I could not find any.

> I was a bit surpised about this, but it does make sense.
You are correct. Until we have fully supported native connectivity, some
filtering might help fixing broken services. Thanks for sharing your
> Best
> Dominik

Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

More information about the Dnsmasq-discuss mailing list