Unreachable DNS over Link-Local IPv6
I have been facing issues on my local network. Symptoms were slow connections to establish, mostly visible on some devices, but reproduced on a wide range. The setup is simple: a Livebox4 from my ISP, that handles everything with just WiFi disabled, and a R7000 connected to it, with WiFi enabled in Access Point mode. IPv6 has been working for years without any issue until recently, likely after an upgrade (but I cannot tell if it's the R7000 or the Livebox4).
I could identify the slowness to be related to DNS resolution over IPv6. The network uses stateless configuration, and the livebox4 sends router advertisements that includes its link-local IPv6 for DNS resolution over IPv6. I could diagnose that this IPv6 would be reachable to ping, but not to DNS, only over WiFI (reproduced from a thinkpad running linux, a mac and several Android devices). My desktop, connected directly to the Livebox, could do IPv6 DNS resolution.
So, I captured packets using Wireshark on my laptop, and with reproducing the issue:
dig -6 +trace m.youtube.com
This showed me packets going over the network properly, and then ICMPv6 coming back with error message "Beyond scope of source address".
An interesting point is that the ICMPv6 packet coming back included some of the DNS payload, that showed two things:
- a trace of "OpenDNS" message in the hex dump of the payload
- an IPv6 destination address of 2620:0:ccc:2
Using hidden debug interface on the R7000, I could capture the packets during DNS resolution over IPv6 from both linux laptop and android phone that would reveal that my DNS resolution goes also to 2620:0:ccc:2.
As much as I could discover, it seems Netgear products relies on OpenDNS services for parental control and stuff like that. Which is disabled in my case. I've already tried resetting the router and re-starting configuration from scratch, but it did not help at all. It is running V220.127.116.11_10.2.64
So this is bad for two things:
- leaking my DNS resolution to some third party
- it seems bogus and thus it impacts my network performances.