Grant Taylor via NANOG <nanog@nanog.org> writes:
Hi Toke,
On 9/5/21 3:07 PM, Toke Høiland-Jørgensen via NANOG wrote:
Well, that's what I used to do back when I didn't have native v6 and ran into this issue: block v6 at the DNS level. I.e., simply filter out all AAAA records for offending service providers. Pretty simple to setup on your home router (it's usually one or a few TLDs per service provider).
I agree that it's not hard to disable AAAA resolution for ... obstinate domains. However, as you say, doing so means breaking DNSSEC more and more often. Of course it's possible to do that, but it's now a second thing that's being done per obstinate domain. :-(
I've considered null routing / rejecting IPv6 traffic to prefixes associated with the obstinate domains, but that's not really a set it and forget it thing. Especially if ~> when the obstinate domains use shared hosting thus bring collateral damage into the mix. And yet another (3rd) hack ~> workaround. :-(
It does fail if your clients do DNSSEC validation, but if you do that at the router (or not at all) it should just work :)
Ya. I've been doing the DNSSEC validation on the LAN local recursive DNS server for this reason.
Yup, me too :)
And yeah, it's an ugly hack that really shouldn't be necessary,
Yep. How many ugly hacks does it take before one starts questioning if said ugly hack(s) is (are) the proper thing to do?
Well, I come from a software background, so in my world the whole thing is held together by duct tape and string anyway ;) And while I can agree in principle, the nice thing about hacks is that you can actually get those to *work*, whereas tilting at windmills to get providers to do the right thing is much harder. So ideally you could do both: deploy the hack(s) while waiting to get the proper fix deployed a decade or two from now...
but I found it worked quite well back when I used it (a handful of years ago or so), and it keeps IPv6 active and working for everything else...
If you're willing to (break) deal with DNSSEC, yes it does work.
Another solution that I've used on occasion is to do your own tunnelling: find a hosting provider that can provide you a VPS with a v6 prefix and do your own tunnelling to that. This works by virtue of being "under the radar" of the service providers that do this kind of broken filtering, providing you can find a VPS provider whose prefixes are not blacklisted for some other reason (like being non-residential or something).
The operative phrase being "find a VPS provider whose prefixes are not blacklisted". :-/
The workaround ~> hack is becoming more and more problematic year after year.
Yeah, I do realise that that particular workaround probably has (had?) an expiry date :( -Toke