ipv6 problems on windows 7

[antxxxx]

I think this is a problem with twisted names rather than this code, but reporting it here in case any one else notices it.

I have set this up and can now access UK netfilx and play videos on windows 7 laptop while still accessing some ipv6 sites. However some ipv6 sites are now not accessible in a browser.
Sites that work
ipv6.google.com
ip6.me (reports my ipv6 address correctly)

Sites that dont work
http://loopsofzen.co.uk/

Also, http://ipv6-test.com/ now reports that I dont have ipv6 connectivity

DNS lookups from a cmd prompt work fine and going directly to the ipv6 address work

These sites work fine from an android client on the same network

[cdhowie]

Can you get a pcap (Wireshark) dump of the DNS traffic between the DNS server and your Windows 7 device, and perhaps one other device that does work? I've not been able to duplicate the problem on my machines.

[antxxxx]

I did a capture using wireshark when using the proxy and when not, and noticed that when using the proxy, and going to loopsofzen.co.uk, a DNS query is made to get an A record, but no query for the AAAA record. When not using the proxy, a DNS query is made for the A record and AAAA record

I have tried just running simple_server.py from https://twistedmatrix.com/documents/15.0.0/names/howto/custom-server.html and noticed that when querying this, and querying a dnsmasq server, the rd flag is dropped from the response from the response from simple_server.py

$ dig loopsofzen.co.uk A @192.168.1.2 -p 10053

; <<>> DiG 9.10.3-P4 <<>> loopsofzen.co.uk A @192.168.1.2 -p 10053
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39725
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;loopsofzen.co.uk.              IN      A

;; AUTHORITY SECTION:
loopsofzen.co.uk.       599     IN      SOA     primary-dns.co.uk. hostmaster.loopsofzen.co.uk. 2015072900 10800 3600 1209600 600

;; Query time: 38 msec
;; SERVER: 192.168.1.2#10053(192.168.1.2)
;; WHEN: Thu Jun 09 11:09:38 BST 2016
;; MSG SIZE  rcvd: 93

$ dig loopsofzen.co.uk A @192.168.1.2 -p 53

; <<>> DiG 9.10.3-P4 <<>> loopsofzen.co.uk A @192.168.1.2 -p 53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3020
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;loopsofzen.co.uk.              IN      A

;; AUTHORITY SECTION:
loopsofzen.co.uk.       599     IN      SOA     primary-dns.co.uk. hostmaster.loopsofzen.co.uk. 2015072900 10800 3600 1209600 600

;; Query time: 50 msec
;; SERVER: 192.168.1.2#53(192.168.1.2)
;; WHEN: Thu Jun 09 11:09:42 BST 2016
;; MSG SIZE  rcvd: 104

[cdhowie]

when using the proxy, and going to loopsofzen.co.uk, a DNS query is made to get an A record, but no query for the AAAA record. When not using the proxy, a DNS query is made for the A record and AAAA record

This is particularly unusual. This seems like the OS doesn't think that it has a global IPv6 address so isn't even trying, but the fact that it does query AAAA records only when not using the proxy hints that something else is the matter.

I'm not totally convinced that the rd flag business is relevant, because it's a flag that the client uses to instruct the server to do a recursive lookup. I'd expect clients should ignore this flag in responses since it's not relevant to them. (They'd probably be looking for the ra flag, but not rd.)

If Windows 7 is altering behavior based on the presence of this flag in the response, that sounds like a Windows 7 bug -- not that I'm opposed to a compatibility fix. I will need to set up a Windows 7 VM and see if I can reproduce the issue.

[antxxxx]

One other thing I have noticed is that my clients all have 2 DNS servers - one IPv4 address supplied by IPv4 DHCP and one IPv6 address supplied by IPv6 DHCP/SLAAC , and some clients are using both of them - which might explain #2 as well.

I have made some changes to server.py at https://github.com/antxxxx/netflix-no-ipv6-dns-proxy/tree/multiple_interface to allow it to listen on IPv4 and IPv6 which I will try and see if it fixes anything

[cdhowie]

allow it to listen on IPv4 and IPv6

If you bind to the IPv6 wildcard address :: and have your system setting net.ipv6.bindv6only set to 0, then it will respond on IPv4 as well, without any code changes needed. (This is what I'm doing.)

[antxxxx]

net.ipv6.bindv6only is a linux thing. I am running my dns server and this proxy on FreeBSD :)

[cdhowie]

According to Google, FreeBSD has a similar sysctl net.inet6.ip6.bindv6only that might do what you want without needing to add complexity to the proxy code.

[antxxxx]

Thanks I did not know about that. Its actually net.inet6.ip6.v6only in FreeBSD10.3 and that does the trick

[antxxxx]

I have found the problem and solution to this

In windows, there is a prefix policy table that determines which IP addresses are preferred. You can see this by using the netsh command

C:\Users\anthony>netsh interface ipv6 show prefixpolicies
Querying active state...

Precedence  Label  Prefix
----------  -----  --------------------------------
        50      0  ::1/128
        40      1  ::/0
        35      4  ::ffff:0:0/96
        30      2  2002::/16
         5      5  2001::/32
         3     13  fc00::/7
         1     11  fec0::/10
         1     12  3ffe::/16
         1      3  ::/96

With this setup, the IPv4 addresses (::ffff:0:0/96) is preferred over IPv6 addresses starting 2001 (like mine and loopsofzen.co.uk)

To fix it, I just lowered the precedence of the IPv6 range using this from an administrator command prompt
netsh interface ipv6 set prefixpolicy prefix=::ffff:0:0/96 precedence=2 label=4

[cdhowie]

Interesting find. I'm still curious why just putting the proxy in the way causes this behavior change, though.

[antxxxx]

Actually this did not solve the problem.
However, I have managed to solve it by doing this.
I am using dnsmasq for DNS/DHCP, so I added this to my dnsmasq.conf and ran dnsmasq listening on port 53 and set up DHCP/RA to point to this DNS server

server=/netflix.com/127.0.0.1#1053
server=/nflximg.com/127.0.0.1#1053

I then ran this proxy listening on 127.0.0.1 port 1053 pointing to an upstream DNS server

With this setup, most DNS queries are handled by dnsmasq, but netflix.com and netfliximg.com are sent to this proxy where AAAA records are not returned