Today I got a common complain form a customer which led me to an interesting investigation:
Quick setup description for reference: VPN server, IKEv2 (for this client), DNS relay on Mikrotik,
Initial complain was that some applications or web pages aren’t routed trough the tunnel.
Long story short: My server is IPv4 only, but DNS returns both v4 and v6 entries. Client’s ISP has native v6 support, and v6 address seems to be preferable on client’s device, which leads traffic to bypass the tunnel (v6 gateway preferred)
So my question is: is there any way to make Mikrotik DNS to filter out AAAA entries?
Basically you can’t rely on having control over how applications work with DNS (e.g. some apps may use their own DNS over HTTPS connection to their own preferred servers). So if you want to force client’s traffic through IPv4 tunnel, disable IPv6 on that site altogether.
I’m not trying to abuse client’s traffic, or applications running on it’s device. The device is question is an Android phone, which isn’t very much configurable (that’s the issue)
Dual-stack also isn’t the way I’m looking for, since 1st of all - there is no such requirement for this service.
So you’re saying that tunnel terminates directly on Hemeroid (sorry, Android) device? In that case I’m affraid you’ll have to deal with lots of pain in the back.
Yes, that’s a common ikev2 strongswan road-warrior scheme. And yes, already feel it.
But honestly, even if it wouldn’t - the problem is caused by application behavior, and thus can’t be fixed on a network level. That’s the main reason of my rather odd question.
