dproxy-nexgen cache confused by IPv6
Brought to you by:
mattpratt
Menu
▾
▴
#13 dproxy-nexgen cache confused by IPv6
dproxy-nexgen has a very serious bug when dealing with IPv6 and IPv4 addresses. When receiving an AAAA record, the daemon stores the first 4 bytes of the IPv6 address as a (totally false) IPv4 address into the cache.
As a consequence, client operating system like Ubuntu, which ask for AAAA records first, get afterwards a wrong A record and are not able to connect to systems which already have IPv6 dns entries. This problem will probably become even more important in the future, when other operating systems switch their default to IPv6 as well, and more servers publish AAAA records.
How to reproduce:
$ sudo /etc/init.d/dproxy start
$ dig @localhost AAAA ubuntuusers.de
--> answer: 2001:780:0:25::80 (correct)
$ dig @localhost A ubuntuusers.de
--> answer: 32.1.7.128 (wrong, should be 213.95.41.11)
32.1.7.12 are exactly the first four bytes of 2001:780:0:25::80.
dproxy.debug.log:
--------------------------------
[ 6998 ]: enter cache_purge()
[ 6998 ]: cache_add_hosts_entreies()
[ 6998 ]: cache_add_hosts_entreies(): done
[ 6998 ]: Dumping list:
[ 6998 ]: cache_lookup_name(ubuntuusers.de)
[ 6998 ]: .......... ubuntuusers.de ----
[ 6998 ]: Adding to list-> id: 2105
[ 6998 ]: Addr: 804e008
[ 6998 ]: Dumping list:
[ 6998 ]: ID: 2105 ... Name: ubuntuusers.de ---- IP:
[ 6998 ]: 1. Name: ubuntuusers.de .... 2105 --- 2. 2105
[ 6998 ]: Found query in list
[ 6998 ]: Replying with answer from 192.168.4.12
[ 6998 ]: Cache append: ubuntuusers.de ----> 32.1.7.128
[ 6998 ]: enter cache_purge()
[ 6998 ]: cache_add_hosts_entreies()
[ 6998 ]: cache_add_hosts_entreies(): done
[ 6998 ]: Dumping list:
[ 6998 ]: cache_lookup_name(ubuntuusers.de)
[ 6998 ]: .......... ubuntuusers.de ---- 32.1.7.128
[ 6998 ]: Cache hit
[ 6998 ]: enter cache_purge()
[ 6998 ]: cache_add_hosts_entreies()
[ 6998 ]: cache_add_hosts_entreies(): done
Logged In: YES
user_id=23461
Originator: NO
I wonder if this explains why an embedded router running dproxy returned the address 1.0.0.0 for a lookup. This happened when I used Linux (PuppyLinux and OpenSUSE) to access the Internet via the router, with the DNS proxyied by the router. Unfortunately I have no access to the router any more, or I would try disabling IPv6. I should also have taken note of the router model, I only know that it was running busybox, so it was either Linux or BSD.
When I tried to use dig to lookup a site, it returned an invalid response.
Windows had no problems using the proxy, presumably it doesn't ask for IPv6 information.
Also Firefox had no problem, maybe it doesn't go through the Linux resolver libraries?
I worked around it by specifying the ISP's forwarders instead of using the router's proxy. But this would explain why the common advice "disable IPv6" works for people who have problems getting onto the Internet with Linux, but not with Windows.
It's sad that this software has now been "hardwired" into so many routers out there. If this bug is not going to be fixed, perhaps manufacturers of routers should be encouraged to adopt a DNS proxy that does work. I think dnsmasq does support IPv6 properly.