Mikrotik DNS cache, ipv6 and test-ipv6.com

bbooher · March 24, 2013, 1:47pm

I have a Mikrotik router running 6.0 rc11. I’m connected to Time Warner cable and have built a 6to4 tunnel to Hurricane Electric.

I’ve enabled the DNS Cache on my router and my IPv4 clients point to the router for DNS resolution. I’ve also configured the HE IPV6 DNS server to be distributed to my dual stacked IPv6 clients via RA’s.

When I visit the test-ipv6.com site to test my configuration. It tells me that:

“IPv6 connections work, but connections using DNS names do not use IPv6. For some reason, your browser or your OS is not doing IPv6 DNS ‘AAAA’ lookups.”

If I change my DHCP server to hand out my TimeWarner DNS server IP’s rather than the local Mikrotik DNScache IP address, which in turn points to those same DNS servers, test-ipv6.com passes my configuration just fine.

Does anyone know if there are bugs or issues with the Mikrotik DNS cache resolver filtering AAAA lookups?

-Brian

janisk · March 25, 2013, 7:41am

just i guess, but it could be that it detects that your DNS is configured with IPv4 addresses, hence the message.

I can assure you that RouterOS domain name cache is fully capable to resolve AAAA requests over either of IP networks.

On the site you mention i get 10/10, however in my configuration “/ip dns” menu does not have any ipv4 addresses set.

docmarius · March 25, 2013, 11:49am

Does your mikrotik accept ipv6 connections for DNS? Check input chain port 53 on ipv6 firewall on internal port(s).
If you use an external DNS it will go through the forward rules which seem to be ok.

bbooher · March 30, 2013, 8:19pm

I set up a BIND 9 server as a caching only server. It’s running on a raspberry Pi and has a valid static IPv4 and IPv6 IP address. I’ve configured ISC DHCP to provide an IPv4 DNS address, the one on the Pi for DNS and an IPv4 address, the one on the Pi.

When I do this, my clients pass the test-ipv6.com test just fine.

If I point them at my mikrotik, the test fails.

My firewall rules are exactly the same in IPv6 as they are in IPv4 - I mirrored the firewall rules.

I am able to resolve AAAA records against the Mikrotik either via a v4 lookup or a v6 lookup.

I did put the HE DNS address in my DNS config so that I could do lookups via IPv6. I wonder if that’s part of the problem.

/ip dns> print
servers: 2001:470:20::2 ← manually entered by me, so my IPv6 SLAAC clients would get an IPv6 DNS server.
dynamic-servers: 209.18.47.61,209.18.47.62 <— from my ISP

I did some more testing. If I do the following:

dig -6 @2001:470:e4bb:1::1 aaaa www.google.com

where 2001:470:e4bb:1::1 is the address of my LAN interface, the one clients point to for DNS, I get:

www.google.com. 86400 IN AAAA 2001:470:20::2

Now 2001:470:20::2 is HE’s caching IPv6 DNS server.

If I do the same query as follows:

dig -6 @2001:470:20::2 aaaa www.google.com
I get:
www.google.com. 257 IN AAAA 2607:f8b0:4004:802::1014

Something about the Mikrotik DNS caching server isn’t behaving as expected for IPv6 queries.

-Brian