Rogue IPV6 DNS advertisement Problem, FISHY situation !

RouterOS General
1

Hi there,

I have a mikrotik router that is acting as a DNS server for network and also caching the DNS results. The problem is that somehow the Windows PCs are getting IPv6 dns results, “easy” fix is to disable IPv6 in every machine but i tried to investigate a bit further because it a pain to this for every PC and also you cant do it in many Mobile devices. Let me clarify that the Windows PC’s are not getting an IPv6 ip from any DHCP ( So no ipv6 dchp rogue server ?? )

My internet is coming from a Speedport modem which is connected to eth1 of Mikrotik that is acting as a PPPOE Client. In the Mikrotik the IPv6 Package isn’t installed, also under PPPOE the “use peer dns” is unchecked as well.

In the Speedport the IPv6 DCHP and RA service are disabled as well.

So the problem is that if i do a “nslookup google.com” in a windows machine im getting the following result : ******* = hidden

C:\Users*********>nslookup google.com
Server: *********
Address: 10.0.0.1

Non-authoritative answer:
Name: google.com
Addresses: 2a00:1450:4001:806::200e
216.58.210.14

******* = hidden by me

This result is after a ipconfig /flushdns and a flush of the Mikrotik DNS cache. Strange thing is that after the nslookup request im getting an entry in the Mikrotik DNS Cache as well
dns_cache.jpg
So i started sniffing with Wireshark and i found the following coming from the Mikrotik eth1 where the PPPOE Client is running
mikrotik_ipv6.jpg
So can someone more advanced than me explain me what is really happening here?

How is it possible that Mikrotik is responding to IPv6 DNS Requests and Caching them without the IPv6 package installed and if this isn’t Mikrotik is it possible that this is from the Speedport Modem which is behind the PPPOE ?

For your help i did the test with only 1 windows PC connected to the Mikrotik and the Speedport modem.

Im totally puzzled.

2

I forgot to add my software version and Hardware.

nov/13/2018 15:27:35 by RouterOS 6.43.4

software id = KNCT-9LD2

model = RouterBOARD 962UiGS-5HacT2HnT



Thanks in advance to anyone that can have any idea about this.

3

IPv6 and DNS are generally unrelated. A query for a FQDN will return whatever records are assigned to that FQDN. AAAA records are valid DNS records.

4

Hi Tippering,

Thanks for the reply, but i don’t get what exactly are you saying ? You mean the that is normal for a DNS over IPv4 to give you the AAAA which is use in IPv6 only.
I get this ok, but what about the IPv6 traffic coming from the Mikrotik ?

Best regards.

5

See these pcap screenshots. These are DNS queries sent a Windows 7 machine. Note that it is asking the DNS server for both the A records and AAAA records for google.com. The DNS server dutifully responds to both requests.

IPv4 and IPv6 are communication protocols. DNS is a name resolution protocol. Your systems are using IPv4 to communicate. That doesn’t prevent DNS from providing IPv6 addresses over IPv4.
Clipboard01.jpg
Clipboard03.jpg

6

Thank you very much Tippenring,

You made clear the DNS part. But what about the IPv6 Traffic coming from the Mikrotik router eth1 where the PPPOE Client is running ?

7

If you really have the IPv6 package disabled, I’m not sure why the MT is using IPv6 at all. However, it isn’t important. The packet you captured is a simple ICMPv6. The fe80 address is a link local address (like 169.254.x.x in IPv4).

8

Yeap the package isn’t enabled,
ipv6.jpg
That traffic and my limited knowledge on the ipv6-dns part was made me to have those wrong assumptions.