Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Mon Dec 11, 2023 18:36 Post subject: [SOLVED: no] can dnsmasq suppress AAAA/IPv6 queries?
In the course of sorting out some dnsmasq config details I won't go into here, I set up dnsmasq logging with a couple of lines added to Dnsmasq additional config:
Code:
log-facility=/var/log/dnsmasq
log-queries=extra
After rebooting, I had a detailed log in /var/log/dnsmasq showing every DNS query, what server it was forwarded to, what type record it sought, and what the result was. Quite enlightening, actually. (I would not leave such a setup in place, as the log would grow quite large.)
Perhaps the biggest eye opener was that in my IPv4 only router, half the queries that went out, and the associated responses, were for [AAAA] (IPv6) records.
In what may well be my unlightened ignorance, I assume these AAAA responses are of no use to me, so I set about trying to get dnsmasq to not obtain them. Well, that was a google nightmare! (Actually I use kagi.com now instead of google/startpage, fwiw.) I found nothing except the dnsmasq man page itself, at https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html, which offered only this one option:
Code:
filter-AAAA
The man page says it will Remove AAAA records from answers. No IPv6 addresses will be returned. Suspicious wording, right? But data beats guessing, so I tried adding this to Dnsmasq additional options as well. Indeed, on testing I found that dnsmasq still made the same AAAA queries to upstream servers, but when the replies were received, it logged something like reply cnn.com is NODATA-IPv6. (As a side note, these responses did not appear when dnscrypt was used. Perhaps dnscrypt-proxy suppresses those nonresult results.) It's absolutely unclear whether this is an improvement over the default setup!
So, kind dd-wrt folks (and the few unkind ones also), what do you think?
Is there any reason to bother with filter-AAAA?
More importantly, is there a way to actually suppress AAAA/IPv6 queries?
Is there any reason not to either filter or suppress AAAA/IPv6 queries?
_________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Tue Dec 12, 2023 7:47 Post subject:
I did use the same filter for dns6 didnt notice any speed improvement, i guess DNSmasq gets more busy with it...as it seams the DNS servers that are using DNS4, they also use both 4 & 6 and return dns6 for some odd reason...
DNScrypt-proxy v2 has lots of settings against dns6, same for SmartDNS it can disable dual-stack ...and even Stubby can use only DNS4, but DNSmasq still returns those aaaa..so i guess it sends only v4 but returns v6 too...it must be a standard...
Also its noticeable, that DNSmasq is listening on v6 too..i don't know how to stop that, as im not heaving IPv6 nor planning to use it anytime soon...but its visible netstat -npla
I guess its only locally...but listening... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Tue Dec 12, 2023 17:09 Post subject:
We have a result! Turns out what @egc was pointing to was actually address=/#/:: as the dnsmasq man page specifies that # is the wild card for domain names in the address= option. HOWEVER, DO NOT DO THIS!
Using just that bold command above with the two logging commands caused boot to fail, in the sense, at least, that I could not connect to wifi. I had to reset the router and restore from backup.
[SOLVED] _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Tue Dec 12, 2023 22:41 Post subject:
A final note...
Turns out that it's not only the address=/#/:: dnsmasq option that was a problem. Using only the filter-AAAA option turns out to have issues as well. For me it broke the netflix app on a Sony Android TV.
Normally I use netflix on that TV through a wireguard tunnel, either using the TV's Android WireGuard app to connect to a commercial VPN server for netflix productions only or using my dd-wrt router's Wireguard tunnel to a server in another family dd-wrt router in another US state, which has always worked for all netflix media, to deceive the advertising world a bit. (Could use both tunnels at once even, one inside the other.)
Curiously, the filter-AAAA broke both uses of wireguard with Netflix. Netflix became watchable only using a direct-to-WAN setup here. Attempting to use any wireguard option consistently led to an error page on pushing Play, even though the app functioned fine otherwise. Apparently some of netflix's internal machinations involves obtaining IPv4 addresses, even though they cannot be accessed through my IPv4-only router.
Very odd. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.