SixXS::Sunset 2017-06-06

Can't reache some Sites ... but
[de] Shadow Hawkins on Saturday, 21 May 2011 00:49:17
The testsite : test-ipv6.com shows: "10/10fr Ihre IPv4 Stabilitt und Bereitschaft, wenn Inhalte via IPv4 und IPv6 verfgbar sind 10/10fr Ihre IPv6 Stabilitt und Bereitschaft, wenn Inhalte nur via IPv6 verfgbar sind" So everything should be ok ... but I can't reache some big IPv6-Sites (google) "Fehler: Server nicht gefunden Der Server unter ipv6.google.com konnte nicht gefunden werden." The routers says: Verbunden seit 21.05.2011 00:34 Uhr Globale IPv6 Adresse der FRITZ!Box 2001:xxxx:xxxx:xxxx::2/64 Globale IPv6 Adresse bezogen ber Tunneleinstellung Gltigkeit der globalen IPv6-Adresse 4294967295 s /4294967295s IPv6-MTU 1280 Globales IPv6-Prfix 2001:xxxx:xxxx::/48 Gltigkeit des globalen IPv6-Prfixes 4294967295 s /4294967295s Erster IPv6 DNS-Server Zweiter IPv6 DNS-Server So I guess that there is no IPv6-DNS? Is this a problem of the router or something about the Tunnel? regards
Can't reache some Sites ... but
[ch] Jeroen Massar SixXS Staff on Saturday, 21 May 2011 11:18:39
So I guess that there is no IPv6-DNS?
There are two levels of IPv6: transport and queries IPv6 DNS Transport, or as it is mentioned above "IPv6 DNS" means that the queries for the hostname are send as IPv6 packets to an IPv6-enabled DNS server. IPv6 DNS Queries, means that either IPv4 or IPv6 packets are sent to a DNS server containing queries for AAAA (IPv6) records. The setting above is the first, transport, you don't need this, as one can send IPv6 DNS queries over both an IPv4 or IPv6 transport. Thus what you want to check if your DNS server properly allows AAAA queries. If you have windows, use start->Run and type "nslookup" (without quotes) and then you'll get a dosbox where you can type "set q=aaaa" and then "ipv6.google.com" the output will look somewhat like this:
Default Server: eternity.ch.unfix.org Address: 198.18.99.41
set q=aaaa
ipv6.google.com
Server: eternity.ch.unfix.org Address: 198.18.99.41 Non-authoritative answer: ipv6.google.com canonical name = ipv6.l.google.com ipv6.l.google.com AAAA IPv6 address = 2a00:1450:8005::68
As you can see my DNS server uses an IPv4 transport but the IPv6 Query works just fine. You might get back different AAAA btw as google has different regions for that.
Can't reache some Sites ... but
[de] Shadow Hawkins on Saturday, 21 May 2011 15:25:04
Ok! Thx I think I can see the Problem here: I have SonicWall-VPN-Client here on that machine! So if this is connected nslookup says: Standardserver: w2.wedia.local Address: 10.10.10.1
set q=aaaa
ipv6.google.com
Server: w2.wedia.local Address: 10.10.10.1 Nicht autorisierende Antwort: Name: ipv6.l.google.com Address: 2a00:1450:4008:c00::93 Aliases: ipv6.google.com wedia.local is the Server2008 where the VPN goes to! THAN I can't call google via IPv6! if I disconnect that the nslookup says: Standardserver: fritz.box Address: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
set q=aaaa
ipv6.google.com
Server: fritz.box Address: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx Nicht autorisierende Antwort: Name: ipv6.l.google.com Address: 2a00:1450:8005::63 Aliases: ipv6.google.com THAN all the sites are comming up fine! So what can I do here to make the FritzBox the "standard" even if the VPN is up? regards Sven
Can't reache some Sites ... but
[ch] Jeroen Massar SixXS Staff on Saturday, 21 May 2011 15:57:26
wedia.local is the Server2008 where the VPN goes to! THAN I can't call google via IPv6!
It gives back an IPv6 address, thus actually, it should still work. As the lookup succeeds, try, with the VPN active, to do a 'traceroute ipv6.google.com' that should still work.
THAN all the sites are comming up fine! So what can I do here to make the
FritzBox the "standard" even if the VPN is up?
The joys of split-DNS. You won't be able to do much here, as you need the VPN version of DNS to reach the domainnames that are defined on the VPN. The solution I employ for these cases is terminate the VPN on the router and use unbound to forward the DNS queries to the right place.
Can't reache some Sites ... but
[de] Shadow Hawkins on Saturday, 21 May 2011 18:25:33
Ok... I think I have to explain the situation better: The Router makes the Internet-Connection (IPv4 only) AND at the Router is an internal SixXS-Client ... so the Router makes the tunnel. All PC's get their IP-config (IPv4 and IPv6) from the router on my main PC is a SOFTWARE-VPN-Client. There is a virtual NIC named "SonicWALL VPN Connection" from there only IPv4 is available! The Problem is now that the VPN-NIC is "Standard" for nslookup if the VPN is enabled! Even if I get IPv6-Adresse I can't connect! If I disable the Software VPN all is fine! regards
Can't reache some Sites ... but
[ch] Jeroen Massar SixXS Staff on Saturday, 21 May 2011 19:51:18
I understood/stand your situation quite well it is a very common setup.
The Problem is now that the VPN-NIC is "Standard" for nslookup
if the VPN is enabled! Even if I get IPv6-Adresse I can't connect!
DNS != routing And your output showed that DNS works fine, the question is if routing has become affected. As such, the questions become: - What does your IPv4 and IPv6 routing tables look like before and after the VPN has been setup ("netstat -rn" and "netsh int ipv6 show routes") - Is the IPv6 connectivity still working at all? - Can you traceroute6 to anything, eg try a random: traceroute 2001:db8::1 - Does the VPN start a firewall of sorts? - Does the VPN play with packets?
Can't reache some Sites ... but
[de] Shadow Hawkins on Saturday, 21 May 2011 22:17:26
Ok ... so let's go ;) Is it save to post the IPv4/IPv6-Tables? I guess they will not help if I "x" all the data? All my IP is static! But I can show you the difference between VPN on/off via PING Ping ipv6.google.com with VPN off: C:\Windows\system32>ping ipv6.google.com Ping wird ausgefhrt fr ipv6.l.google.com [2a00:1450:8005::68] mit 32 Bytes Dat en: Antwort von 2a00:1450:8005::68: Zeit=25ms Antwort von 2a00:1450:8005::68: Zeit=25ms Antwort von 2a00:1450:8005::68: Zeit=23ms Antwort von 2a00:1450:8005::68: Zeit=24ms Ping-Statistik fr 2a00:1450:8005::68: Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0 (0% Verlust), Ca. Zeitangaben in Millisek.: Minimum = 23ms, Maximum = 25ms, Mittelwert = 24ms Ping ipv6.google.com with VPN on: C:\Windows\system32>ping ipv6.google.com Ping-Anforderung konnte Host "ipv6.google.com" nicht finden. berprfen Sie den Namen, und versuchen Sie es erneut. As you can see PING can't find the adresse ... so this is DNS-Problem and NOT Routing! Also I can PING google while VPN is ON using the ipv6-adresse [2a00:1450:8005::68]... so the routing should be ok ... regards
Can't reache some Sites ... but
[ch] Jeroen Massar SixXS Staff on Monday, 23 May 2011 10:48:49
If you can still ping the IP then indeed routing is not the issue, DNS it must be. Thus the only question then, as nslookup seems to work, what kind of trickery your VPN software does as it looks like it messes with DNS lookups. One thing you could look at now is 'ipconfig /all' and see what nameservers are listed and possibly in what order they get used.

Please note Posting is only allowed when you are logged in.
Static Sunset Edition of SixXS
©2001-2017 SixXS - IPv6 Deployment & Tunnel Broker