I have access to a DNS64 server (and gateway but the setup is out of my control). However, it is far from local (opposite side of the world).
So ideally in my IPv6 only set-up I’d like normal AAAA DNS requests to land on the local DNS server so IPv6 enabled sites such as Facebook can be speedy. However, if the request for an AAAA record receives NOERROR and ANSWER 0. i.e. no AAAA records (i.e. twitter). I would then I would like to forward this request onto the DNS64 (ipv6 address) server which will return an answer pointing towards the NAT64 gateway.
Any suggestions on how I might do that? Otherwise it’s a 360ms trip to the resolver. Won’t be nice on skype and the likes.
I don’t think you can do it, and not just with RouterOS.
First, it’s definitely not anything you could do with L7 and simple firewall rules, because if you need to wait for answer, you’d then have to resend the original question/packet to different server, but you don’t have it anymore. You’d need to use DNS resolver/proxy, which can have multiple DNS servers and ask another, if it doesn’t get a reply from one. But there’s another problem, because such resolvers operate with assumption that all configured DNS servers are equal in knowledge. So if one does reply, but doesn’t have an answer, there’s no point asking another. That’s a problem for you.
What you want is technically possible for sure, but you’d probably need to write custom DNS resolver. At least I don’t remember seeing this functionality anywhere.
You’re right. It occurred to me while trying to sleep last night that I couldn’t simply retry or forward the request again. Would it be possible to drop replies for the resolver where there are no AAAA entries so it will try the next resolver configured? I’m not familiar with what that might do other than make those domains take longer to resolve. For every request does it go resolver 1 if that fails goto resolver 2 or does it see 1 has failed once and then start using 2 trying 1 again after a random or specified time.
I believe it would be possible to make regexp for reply packets without answer, drop them and by doing so, force question to another upstream resolver.
There is no exact order in which the resolvers are used, it can be thought about as being pretty much random. But the most likely optimization (if there is some) would be to use the fastest one. There would be a huge difference in speed between yours, and since the seemigly failing one would be the fast local resolver, there should be in theory very good reason to return to it as soon as possible.
I can’t say anything for sure, it would be interesting to test it and see how exactly it would behave.
Waiting on my device to show up. Ordered online from a store that said in stock but it wasn’t. Been waiting for weeks. Very annoying.
I think this regexp will catch it. It’s a bit hard given the NULLs are stripped. Maybe someone can cast their eye over it.
add comment="DNS No AAAA Records" name=dnsaaaamanip regexp="^.\?.\?\81\80\01\01.\?.\?[\01-\?\][a-z0-9][\01-\?a-z]*\1C\01\C0\0C\06"
It should match DNS packets where it’s a standard query response with no error with 1 question and 1 authority (having the SOA) from any address where an AAAA type was requested with a QCLASS of 1 and an SOA is returned.
I’m sure someones eyes are bleeding reading this work around… if it even works.
Thanks. I’ve just been testing and that regexp works well.
Unfortunately the DNS server just moves to the next one and never returns.
My current thinking on how to overcome this is add an address-list every time there is dns traffic from the secondary server and then trigger a script to set the dns servers again and clear the address-list.
Bit convoluted but oh well. Has to be better than 100% of geo type traffic landing on the otherside of the world.
If it sees reply packet from primary resolver and it contains zero answers, it adds a short lived address list entry with primary resolver’s address and drops the packet. Internal resolver does not receive any reply, so it tries to ask again after a second. But this time router catches the request and redirects it to backup resolver (8.8.4.4) instead.
It’s tested and working fine, but again, no NAT for IPv6 means no joy there.
The secondary server use is allowed while it knows there was a failed AAAA lookup. It allows one request then blocks the next and allows any after until the list expires that allows it in the first place.
I’ve used one second but the lists stay alive for more like 5 anyway.
Edit: here I was thinking programming PLCs in ladder logic would teach me nothing haha. I definitely pay a more attention on howto use execution order to my advantage now.
You’re right, I didn’t even notice that. Unfortunately, quite a few IPv6 features are missing in current RouterOS. I have high hopes for future RouterOS 7 (as does everyone else), but nobody knows when it will be out and what exactly it will be able to do.
It’s all good. I’ve just reverted to native IPv6 only.
IPv6 there is a fair amount missing around IPv6. However, some stuff only I would want. Other environments would have other dedicated hardware for such things.
):