NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Link-local used for IPv6 DNS server
Basically, https://community.netgear.com/t5/Orbi/Bug-RBR20-incorrectly-uses-link-local-router-IPv6-address-as/td-p/1887490 I turned on IPv6 and now my Orbi is telling DHCP clients that the DNS se...
rossburton wrote:I turned on IPv6 and now my Orbi is telling DHCP clients that the DNS servers are 192.168.1.1 (which is good) and fe80::[...], which is not. As discussed in the thread above, this is not useful.
The result of this is that depending on what server the application uses, addresses may or may not resolve.
Does anyone have a solution for this?
As this affects only devices with IPv6, one workaround would be to define IPv6 DNS servers on those few devices.
(This seems like a great opportunity to learn more about IPv6, so.....)
How would a person test that the link local IPv6 address will not resolve DNS? The IPv4 DNS is a "local" IP address (the Orbi LAN IP).
Perhaps the Orbi accepts DNS queries on its link local interface and uses its external IPv6 address to pass queries?
My first thought is to disable IPv4 on my network interface, which would probably eliminate contact with any device or service that supports only IPv4. So, I have shelved that idea for now.
My second thought was to use the ping -6 command. When I do that, many URL's respond. I tried (one.one.one.one, google.com, ibm.com, att.com) and they all worked. I tried some other URL's and got "Could not find host", which is what I would expect if those domains do not support IPv6.
So now I'm back wondering how to test the concept that giving devices the link local IPv6 address is wrong if it works for many domains and I am not (100%) certain that the failing domains actually support IPv6.
Have noticed that nslookup returns IPv6 addresses for every domain that ping -6 is successful with.
nslookup returns only IPv4 addresses for the domains that ping -6 fails on.
What would help is a list of domains that definitely have IPv6 addresses but ping -6 fails to reach.
I love to rag on Netgear, but so far the damning evidence eludes me.
There is another experiment, which I will attempt this evening.
Capture LAN/WAN traffic.
Make IPv6 calls for domains that are not likely to be in the DNS cache.
Analyze LAN/WAN with Wireshark.
For every IPv6 DNS lookup that is addressed to the Link Local Orbi interface, look for corresponding IPv6 lookups from the Orbi IPv6 WAN interface and responses from the designated DNS servers.
It probably doesn't matter if the domains support IPv6 or not, as long as the DNS requests are made.
Does anyone know the telnet command to clear the local DNS cache on Orbi?
Okay, so here's a concrete example:
On my clients (numerous macOS and Linux devices), the names servers in the DHCP responses are the link-local address of the router:
nameserver fe80::2a80:88ff:feeb:3cf8 nameserver 192.168.1.1
I can use dig to query the v4 address:
$ dig @192.168.1.1 netgear.com ; <<>> DiG 9.10.6 <<>> @192.168.1.1 netgear.com ; (1 server found) ;; ANSWER SECTION: netgear.com. 60 IN A 76.223.14.31 netgear.com. 60 IN A 13.248.140.194 ;; Query time: 29 msec ;; SERVER: 192.168.1.1#53(192.168.1.1)
Dig also works using the v6 address of my ISP's server:$ dig @2001:8b0::2020 netgear.com ; <<>> DiG 9.10.6 <<>> @2001:8b0::2020 netgear.com ; (1 server found) ;; ANSWER SECTION: netgear.com. 60 IN A 76.223.14.31 netgear.com. 60 IN A 13.248.140.194 ;; SERVER: 2001:8b0::2020#53(2001:8b0::2020)
But using the IPv6 address that the router is telling the clients to use fails:$ dig @fe80::2a80:88ff:feeb:3cf8 netgear.com ; <<>> DiG 9.10.6 <<>> @fe80::2a80:88ff:feeb:3cf8 netgear.com ; (1 server found) ;; connection timed out; no servers could be reached
Thanks for the example. (Now I get to learn about the Linux dig command - and see if there is an equivalent in Windows).
We seem to have a different understanding of the meaning of "nameserver". I take it as "send DNS queries to these servers" and they will respond to you." They are not the ultimate resolvers for DNS.
netgear.com does not appear to have an IPv6 address, so attempts to resolve it will fail, whereas
www.netgear.com has a bunch of IPv6 addresses.
While I haul out a Linux box and load up dig, maybe you could do the same test with domains such as ibm.com and google.com that are known to have IPv6 addresses.