Skip to content
Unable to resolve IPv6 domain names
Got a problem with Viscosity or need help? Ask here!
Hello,
when MacOS has IPv4-only connectivity, it's not possible to resolve pure IPv6 domain names like speedtest6.tele2.net even though the VPN tunnel properly supports both IPv4 and IPv6 protocols and all traffic is redirected into it via "redirect-gateway def1 ipv6". Tried also Full DNS option, without any change.
scutil --dns shows, that AAAA resolution is only activated for VPN domains (resolver #3) but not globally (resolver #1):
DNS configuration
resolver #1
search domain[0] : mycompany.com
nameserver[0] : x.x.x.x (original DNS server configured on WiFi interface)
flags : Request A records
reach : 0x00000002 (Reachable)
resolver #2
domain : local
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300000
resolver #3
domain : mycompany.com
nameserver[0] : 127.0.0.1
port : -12932
flags : Supplemental, Request A records, Request AAAA records
reach : 0x00030002 (Reachable,Local Address,Directly Reachable Address)
order : 101200
resolver #4
domain : mycompany.com
nameserver[0] : 8.8.8.8
flags : Supplemental, Request A records
reach : 0x00000002 (Reachable)
order : 102200
When MacOS has dual-stack connectivity, Viscosity remaps also resolver #1 to 127.0.0.1, so IPv6 resolution works for all domains.
DNS configuration
resolver #1
search domain[0] : mycompany.com
nameserver[0] : 127.0.0.1
port : -12835
flags : Request A records, Request AAAA records
reach : 0x00030002 (Reachable,Local Address,Directly Reachable Address)
Thanks in advance for your help.
when MacOS has IPv4-only connectivity, it's not possible to resolve pure IPv6 domain names like speedtest6.tele2.net even though the VPN tunnel properly supports both IPv4 and IPv6 protocols and all traffic is redirected into it via "redirect-gateway def1 ipv6". Tried also Full DNS option, without any change.
scutil --dns shows, that AAAA resolution is only activated for VPN domains (resolver #3) but not globally (resolver #1):
DNS configuration
resolver #1
search domain[0] : mycompany.com
nameserver[0] : x.x.x.x (original DNS server configured on WiFi interface)
flags : Request A records
reach : 0x00000002 (Reachable)
resolver #2
domain : local
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300000
resolver #3
domain : mycompany.com
nameserver[0] : 127.0.0.1
port : -12932
flags : Supplemental, Request A records, Request AAAA records
reach : 0x00030002 (Reachable,Local Address,Directly Reachable Address)
order : 101200
resolver #4
domain : mycompany.com
nameserver[0] : 8.8.8.8
flags : Supplemental, Request A records
reach : 0x00000002 (Reachable)
order : 102200
When MacOS has dual-stack connectivity, Viscosity remaps also resolver #1 to 127.0.0.1, so IPv6 resolution works for all domains.
DNS configuration
resolver #1
search domain[0] : mycompany.com
nameserver[0] : 127.0.0.1
port : -12835
flags : Request A records, Request AAAA records
reach : 0x00030002 (Reachable,Local Address,Directly Reachable Address)
Thanks in advance for your help.
Hi mdurkovic,
You'll need to use Full DNS mode if you want to resolve IPv6 domains not associated with the VPN DNS domains list. When using Full DNS mode you should notice that AAAA resolution is active on the primary resolver, even if the normal local network doesn't have IPv6 connectivity.
If IPv6 DNS records are not resolving, then it likely points to a different issue, such as a routing issue. Please check the connection log to ensure that all IPv6 traffic is being successfully routed through the VPN connection:
https://www.sparklabs.com/support/kb/ar ... envpn-log/
When testing IPv6 DNS resolution, please also ensure that you're not using legacy Unix tools that don't use the macOS resolver system (such as nslookup or host). Please see the "Notes for Linux/Unix Users" and "Looking Up Or Testing A Domain Name" sections at:
https://www.sparklabs.com/support/kb/ar ... -settings/
Cheers,
James
You'll need to use Full DNS mode if you want to resolve IPv6 domains not associated with the VPN DNS domains list. When using Full DNS mode you should notice that AAAA resolution is active on the primary resolver, even if the normal local network doesn't have IPv6 connectivity.
If IPv6 DNS records are not resolving, then it likely points to a different issue, such as a routing issue. Please check the connection log to ensure that all IPv6 traffic is being successfully routed through the VPN connection:
https://www.sparklabs.com/support/kb/ar ... envpn-log/
When testing IPv6 DNS resolution, please also ensure that you're not using legacy Unix tools that don't use the macOS resolver system (such as nslookup or host). Please see the "Notes for Linux/Unix Users" and "Looking Up Or Testing A Domain Name" sections at:
https://www.sparklabs.com/support/kb/ar ... -settings/
Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Hello James,
thanks for your reply. Looking at the log, FullDNS mode was selected automatically. We also tried to configure it manually but no change - still AAAA records are not resolved. IPv6 connectivity works OK, all the IPv6 routes installed by "redirect-gateway def1 ipv6" are in place.
It looks like MacOS Ventura (13.6.6) changed something, because other VPN clients have similar problems. When there's no physical IPv6-capable interface, Ventura does not allow Viscosity to change primary DNS to 127.0.0.1 - the log shows, that every 10 seconds, Viscosity tries to restart the DNS daemon at 127.0.0.1 and reinstall it as primary resolver, because "DNS change detected..." - but it never succeeds. When physical interface with IPv6 connectivity exists, 127.0.0.1 is immediately installed as primary resolver.
What is actually the reason for this DNS daemon at 127.0.0.1 ? Is it there just because loopback interface is always IPv6 enabled and you were able to get AAAA resolution based on that?
We found a solution for Tunnelblick: it enables all DNS resolvers for AAAA records without this special DNS daemon. But unlike the previous MacOS versions, with Ventura it only works with gif0 interface - see:
https://github.com/Tunnelblick/Tunnelbl ... 2094806779
thanks for your reply. Looking at the log, FullDNS mode was selected automatically. We also tried to configure it manually but no change - still AAAA records are not resolved. IPv6 connectivity works OK, all the IPv6 routes installed by "redirect-gateway def1 ipv6" are in place.
It looks like MacOS Ventura (13.6.6) changed something, because other VPN clients have similar problems. When there's no physical IPv6-capable interface, Ventura does not allow Viscosity to change primary DNS to 127.0.0.1 - the log shows, that every 10 seconds, Viscosity tries to restart the DNS daemon at 127.0.0.1 and reinstall it as primary resolver, because "DNS change detected..." - but it never succeeds. When physical interface with IPv6 connectivity exists, 127.0.0.1 is immediately installed as primary resolver.
What is actually the reason for this DNS daemon at 127.0.0.1 ? Is it there just because loopback interface is always IPv6 enabled and you were able to get AAAA resolution based on that?
We found a solution for Tunnelblick: it enables all DNS resolvers for AAAA records without this special DNS daemon. But unlike the previous MacOS versions, with Ventura it only works with gif0 interface - see:
https://github.com/Tunnelblick/Tunnelbl ... 2094806779
Please post or email us the following information and we'll take a closer look for you:
https://www.sparklabs.com/support/kb/ar ... ort-staff/
Cheers,
James
https://www.sparklabs.com/support/kb/ar ... ort-staff/
Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
4 posts
Page 1 of 1