Unable to resolve IPv6 domain names

Got a problem with Viscosity or need help? Ask here!

mdurkovic

Posts: 2
Joined: Sun May 05, 2024 4:33 pm

Post by mdurkovic » Sun May 05, 2024 4:50 pm
Hello,

when MacOS has IPv4-only connectivity, it's not possible to resolve pure IPv6 domain names like speedtest6.tele2.net even though the VPN tunnel properly supports both IPv4 and IPv6 protocols and all traffic is redirected into it via "redirect-gateway def1 ipv6". Tried also Full DNS option, without any change.

scutil --dns shows, that AAAA resolution is only activated for VPN domains (resolver #3) but not globally (resolver #1):

DNS configuration

resolver #1
search domain[0] : mycompany.com
nameserver[0] : x.x.x.x (original DNS server configured on WiFi interface)
flags : Request A records
reach : 0x00000002 (Reachable)

resolver #2
domain : local
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300000

resolver #3
domain : mycompany.com
nameserver[0] : 127.0.0.1
port : -12932
flags : Supplemental, Request A records, Request AAAA records
reach : 0x00030002 (Reachable,Local Address,Directly Reachable Address)
order : 101200

resolver #4
domain : mycompany.com
nameserver[0] : 8.8.8.8
flags : Supplemental, Request A records
reach : 0x00000002 (Reachable)
order : 102200

When MacOS has dual-stack connectivity, Viscosity remaps also resolver #1 to 127.0.0.1, so IPv6 resolution works for all domains.

DNS configuration

resolver #1
search domain[0] : mycompany.com
nameserver[0] : 127.0.0.1
port : -12835
flags : Request A records, Request AAAA records
reach : 0x00030002 (Reachable,Local Address,Directly Reachable Address)

Thanks in advance for your help.

James

User avatar
Posts: 2360
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Fri May 10, 2024 11:22 am
Hi mdurkovic,

You'll need to use Full DNS mode if you want to resolve IPv6 domains not associated with the VPN DNS domains list. When using Full DNS mode you should notice that AAAA resolution is active on the primary resolver, even if the normal local network doesn't have IPv6 connectivity.

If IPv6 DNS records are not resolving, then it likely points to a different issue, such as a routing issue. Please check the connection log to ensure that all IPv6 traffic is being successfully routed through the VPN connection:
https://www.sparklabs.com/support/kb/ar ... envpn-log/

When testing IPv6 DNS resolution, please also ensure that you're not using legacy Unix tools that don't use the macOS resolver system (such as nslookup or host). Please see the "Notes for Linux/Unix Users" and "Looking Up Or Testing A Domain Name" sections at:
https://www.sparklabs.com/support/kb/ar ... -settings/

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

mdurkovic

Posts: 2
Joined: Sun May 05, 2024 4:33 pm

Post by mdurkovic » Fri May 10, 2024 7:46 pm
Hello James,

thanks for your reply. Looking at the log, FullDNS mode was selected automatically. We also tried to configure it manually but no change - still AAAA records are not resolved. IPv6 connectivity works OK, all the IPv6 routes installed by "redirect-gateway def1 ipv6" are in place.

It looks like MacOS Ventura (13.6.6) changed something, because other VPN clients have similar problems. When there's no physical IPv6-capable interface, Ventura does not allow Viscosity to change primary DNS to 127.0.0.1 - the log shows, that every 10 seconds, Viscosity tries to restart the DNS daemon at 127.0.0.1 and reinstall it as primary resolver, because "DNS change detected..." - but it never succeeds. When physical interface with IPv6 connectivity exists, 127.0.0.1 is immediately installed as primary resolver.

What is actually the reason for this DNS daemon at 127.0.0.1 ? Is it there just because loopback interface is always IPv6 enabled and you were able to get AAAA resolution based on that?

We found a solution for Tunnelblick: it enables all DNS resolvers for AAAA records without this special DNS daemon. But unlike the previous MacOS versions, with Ventura it only works with gif0 interface - see:
https://github.com/Tunnelblick/Tunnelbl ... 2094806779

James

User avatar
Posts: 2360
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Sat May 11, 2024 3:06 am
Please post or email us the following information and we'll take a closer look for you:
https://www.sparklabs.com/support/kb/ar ... ort-staff/

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
4 posts Page 1 of 1