IPv6 precedes IPv4 translation

Markfree

Regular Contributor
I'm using a RT-AX86U router with firmware version 386.5_2.

I have a DDNS address that translates to both A and AAAA [not really] records. Therefore, I have IPv4 and IPv6 dynamically translated.
Bash:
# nslookup [ddns.name]
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      [ddns.name]
Address 1: [public:IPv6]
Address 2: [public:IPv4] [public:IPv4].static.host...

This was configured within Asus DDNS, using No-IP.com. [There's no option to update IPv6 addresses]
1650807919484.png


I noticed that whenever I try to access that dynamic domain name, IPv6 is translated first.
So, IPv6 has a preference over IPv4.

That behavior means that some remote requests I make to that domain get translated to IPv6 and then, timeout.
Here's an example:
Bash:
# n cat -z -v [ddns.name] 443
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: [COLOR=rgb(209, 72, 65)][B]Connection to [public:IPv6] failed: TIMEOUT[/B][/COLOR].
Ncat: Trying next address...
Ncat: [COLOR=rgb(65, 168, 95)][B]Connected to [public:IPv4]:443[/B][/COLOR].
Ncat: 0 bytes sent, 0 bytes received in 10.07 seconds.


Is there a way to force IPv4 translation to always be the first one?
 
Last edited:

drinkingbird

Senior Member
I'm using a RT-AX86U router with firmware version 386.5_2.

I have a DDNS address that translates to both A and AAAA records. Therefore, I have IPv4 an IPv6 dynamically translated.
Bash:
# nslookup [ddns.name]
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      [ddns.name]
Address 1: [public:IPv6]
Address 2: [public:IPv4] [public:IPv4].static.host...

This was configured within Asus DDNS, using No-IP.com.
View attachment 40968

I noticed that whenever I try to access that dynamic domain name, IPv6 is translated first.
So, IPv6 has a preference over IPv4.

That behavior means that some remote requests I make to that domain get translated to IPv6 and then, timeout.
Here's an example:
Bash:
# n cat -z -v [ddns.name] 443
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: [COLOR=rgb(209, 72, 65)][B]Connection to [public:IPv6] failed: TIMEOUT[/B][/COLOR].
Ncat: Trying next address...
Ncat: [COLOR=rgb(65, 168, 95)][B]Connected to [public:IPv4]:443[/B][/COLOR].
Ncat: 0 bytes sent, 0 bytes received in 10.07 seconds.


Is there a way to force IPv4 translation to always be the first one?

That's nothing to do with the router. Windows prioritizes IPv6, not sure about other OSes but pretty sure Linux does too. So if it gets both back, it will use the AAAA. The only way to prevent that is to disable IPv6 on the machines accessing the site, or get rid of your AAAA record (not really necessary to have access via IPv6). If your IPv6 isn't accessible, why do you have an AAAA record anyway?
 

Markfree

Regular Contributor
That's nothing to do with the router. Windows prioritizes IPv6, not sure about other OSes but pretty sure Linux does too. So if it gets both back, it will use the AAAA. The only way to prevent that is to disable IPv6 on the machines accessing the site, or get rid of your AAAA record (not really necessary to have access via IPv6). If your IPv6 isn't accessible, why do you have an AAAA record anyway?
I forgot to mention that both ends use Asus routers.
The remote DDNS name was set using an AX86U, and my end also uses the same router.
The example above was taken from a asus router, not Windows.

Actually, the remote AAAA record was set by No-IP automatically. Not sure why.
I managed to delete the AAAA record from No-IP and now the communication is going through.

Thank you for your insight.
 

drinkingbird

Senior Member
I forgot to mention that both ends use Asus routers.
The remote DDNS name was set using an AX86U, and my end also uses the same router.
The example above was taken from a asus router, not Windows.

Actually, the remote AAAA record was set by No-IP automatically. Not sure why.
I managed to delete the AAAA record from No-IP and now the communication is going through.

Thank you for your insight.

Generally I've found that everything prioritizes IPv6, at least since approx Windows 7 (maybe it was SP1). Asus runs a type of Linux variant so makes sense. So yeah it technically is something to do with the router in your case (I wasn't understanding your setup correctly) but really the OS on the router and not the router itself, if that makes any sense. The thought was it would help with the migration if the AAAA was always prioritized over A.

Good call on getting rid of the AAAA, no need for it in your case (or really any case).

I remember years ago when IPv6 seemed to finally start taking off I got tunnels set up to Hurricane Electric (FIOS does not support v6 in my area and has no ETA), and it just caused more issues and solved none, it simply is not needed yet. Some of the urgency around IPv4 exhaustion has gone away with companies using the CGNAT ranges or just being smarter about how they use their IPs. In my Mom's case, she has Comcast which does natively support IPv6, and her router has it on by default. She was having constant (but intermittent) issues with their email, throwing connection errors using MS Outlook. After realizing their email servers had IPv6 variants which it was defaulting to, I disabled IPv6 on her router, and the issues all went away. Posted this in one of their forums, and it solved issues for several others too. They just didn't have as robust of an infrastructure servicing the IPv6 clients, and since there were less of them (especially ones using "thick" email clients like Outlook rather than Webmail), there weren't enough complaints for them to realize there was an issue.

I now disable IPv6 on anyone I know's routers. There is nothing available on IPv6 that isn't available on IPv4, at least not for the everyday user.
 

heysoundude

Part of the Furniture
Is there a way to force IPv4 translation to always be the first one?
there are 2 ways of looking at that:
1- you're swimming against the current. Tides are turning (have turned?) to favour IPv6.
2- you might be better off trying to get the laggards in the transition to get in gear and with the IPv6 program

and it just caused more issues and solved none, it simply is not needed yet. Some of the urgency around IPv4 exhaustion has gone away with companies using the CGNAT ranges or just being smarter about how they use their IPs. In my Mom's case, she has Comcast which does natively support IPv6, and her router has it on by default. She was having constant (but intermittent) issues with their email, throwing connection errors using MS Outlook. After realizing their email servers had IPv6 variants which it was defaulting to, I disabled IPv6 on her router, and the issues all went away. Posted this in one of their forums, and it solved issues for several others too. They just didn't have as robust of an infrastructure servicing the IPv6 clients, and since there were less of them (especially ones using "thick" email clients like Outlook rather than Webmail), there weren't enough complaints for them to realize there was an issue.

I now disable IPv6 on anyone I know's routers. There is nothing available on IPv6 that isn't available on IPv4, at least not for the everyday user.
in our other current convo, you might've noticed the assumption of connectivity. internet/connectivity is assumed to be ubiquitous like air, so I beg to differ. v4 only networks will bog down with all the tablets/phones/watches everybody seems to be carrying now (wireless doorbells, smart fridges/stoves/TVs/lightbulbs...) - it's not inconceivable to me that a family home will overwhelm a DHCPv4 now and in the future. v6 will keep a connection breathing, even with a /64 (I've run into this in 2 client businesses lately - and v6 has made me look the hero. in the developed/western world, i don't think i'm sticking my neck too far out saying v4 is closer to the grave than people tend to believe. you've described intensive care/life support)
 

drinkingbird

Senior Member
there are 2 ways of looking at that:
1- you're swimming against the current. Tides are turning (have turned?) to favour IPv6.
2- you might be better off trying to get the laggards in the transition to get in gear and with the IPv6 program


in our other current convo, you might've noticed the assumption of connectivity. internet/connectivity is assumed to be ubiquitous like air, so I beg to differ. v4 only networks will bog down with all the tablets/phones/watches everybody seems to be carrying now (wireless doorbells, smart fridges/stoves/TVs/lightbulbs...) - it's not inconceivable to me that a family home will overwhelm a DHCPv4 now and in the future. v6 will keep a connection breathing, even with a /64 (I've run into this in 2 client businesses lately - and v6 has made me look the hero. in the developed/western world, i don't think i'm sticking my neck too far out saying v4 is closer to the grave than people tend to believe. you've described intensive care/life support)

In this discussion the OP is talking about internet connected devices, so wasn't making any assumption, just talking about this specific scenario.

While IPv6 has some room to eliminate some network broadcast traffic (as of yet, not really taken advantage of), putting 1000 hosts on IPv4 and 1000 on IPv6 in the same broadcast domain (L2 switch, no router in the path) is no different. Trying to put too many hosts into a single network will be an issue on either protocol. IPv6 is no "better" than IPv4. In some cases it is actually worse, depending on packet size and use case the latency can be higher, and each packet has a bit more overhead in it so it is technically a tad less efficient.

Tides definitely have not turned. If anything they've turned back in the last 5 years or so, IPv6 rollout has slowed significantly with ISPs starting to use the /10 CGNAT shared range.

Same with DHCP. IPv6 does allow Stateless Autoconfig but so far that is fairly rare, most are still using a DHCPv6 server which will be overwhelmed just as easily as a v4 one. There are some improvements in DHCPv6 but not enough to make a huge difference.

If you need more than ~16 million hosts (IPv4 /8) on a single network without any routing, you've got bigger challenges to solve than v4 vs v6. /64 is just the default for IPv6 (unofficially, but seems to be what everyone uses for simplicity), nobody actually needs 18 Quintrillion hosts in one broadcast domain.

In the case of an isolated network not using the internet, IPv6 may prove more flexible especially if you take advantage of auto IP config without the need for DHCP. But with even a cheap home router able to handle thousands of DHCP requests per minute, would have to be one heck of a huge isolated network to really matter (and like I said, that will cause you other issues).
 

drinkingbird

Senior Member
I'm not here to fight.
I see This Is The Way:
but users should consider their privacy and security more carefully now for when that ^ is the reality

Not fighting, just discussing.

Lots of telcos are using IPv6 for management purposes (to remotely monitor/administer their CPE) in order to free up IPv4 space, that's been going on for years. The issue is you can never go fully IPv6 until everything out there supports it, which has been the "tug o war" for years. So even NTT will need 6 to 4 gateways somewhere if they don't want to cause issues for their customers. Until everything out there is dual stack, we can't even start thinking about true single stack.

But yes, everyone really needs to start thinking totally differently about security. Hide NAT is a great line of defense. IPv6 firewalls do default to deny anything inbound but all it takes is one mistake in the code or by the user to open up a large security hole.
 

Snoopotic

Occasional Visitor
Why would you do that? IPv6 always has precedence. Use IPv6 or don‘t.
Seems you need to overthink your concept. Giving IPv4 precedence would throw you in future conflicts where ecery other dualstack technology relies on the ipv6 precedence thingy. You would break internet rules.
I think, it‘s better you stick with it.

what is the problem? What do you want to solve and how can we achieve it using ipv6? Maybe you need to write a custom ddns script. :D
 

heysoundude

Part of the Furniture
Not fighting, just discussing.

Lots of telcos are using IPv6 for management purposes (to remotely monitor/administer their CPE) in order to free up IPv4 space, that's been going on for years. The issue is you can never go fully IPv6 until everything out there supports it, which has been the "tug o war" for years. So even NTT will need 6 to 4 gateways somewhere if they don't want to cause issues for their customers. Until everything out there is dual stack, we can't even start thinking about true single stack.

But yes, everyone really needs to start thinking totally differently about security. Hide NAT is a great line of defense. IPv6 firewalls do default to deny anything inbound but all it takes is one mistake in the code or by the user to open up a large security hole.
OK.
Lots of good discussion/insight on the WireGuard thread(s) in the Addons forum. I'm of the mind that the lead people there can probably come up with an alternative to Merlin's adaptation of Asus' work that incorporates WG as the starting point, as it does handle the 6 <-> 4 stuff, and also rDNS w/cache ...jump ahead of the manufacturer by a generation.
 

Markfree

Regular Contributor
What a great discussion we have here.

Despite IPv6 rise world-wide, I guess IPv6 DDNS out-of-the-box implementation is not ready for Asus Routers.
Therefore, I can not reference a dynamic IPv6 public address with a domain name.
 

SomeWhereOverTheRainBow

Part of the Furniture
What a great discussion we have here.

Despite IPv6 rise world-wide, I guess IPv6 DDNS out-of-the-box implementation is not ready for Asus Routers.
Therefore, I can not reference a dynamic IPv6 public address with a domain name.
Alot of the issue resides in how the client handles it. When I say client, I mean inadyn. I have to run two separate updates for ipv4 and ipv6 for dynv6 ddns service. But I do so effectively using asuswrt-merlin custom scripts.
 

Markfree

Regular Contributor
The order of responses (if that's the issue) is not dictated by the DDNS service. So I don't see that as a DDNS issue.
Not really a DDNS issue indeed. Still, for a domain with both IPv4 and IPv6 the router translates IPv6 first. That was my issue. If IPv6 was updated by DDNS as well, it would not be an issue.
 

sfx2000

Part of the Furniture
Lots of telcos are using IPv6 for management purposes (to remotely monitor/administer their CPE) in order to free up IPv4 space, that's been going on for years. The issue is you can never go fully IPv6 until everything out there supports it, which has been the "tug o war" for years. So even NTT will need 6 to 4 gateways somewhere if they don't want to cause issues for their customers. Until everything out there is dual stack, we can't even start thinking about true single stack

Some interesting background info from the mobile carrier space...


The rationale here for 464XLAT vs. CGNAT is that 464XLAT can use a single PDP context, whereas CGNAT would have to use more than one...

T-Mobile Home Internet uses this to a significant degree, and with them, IPv6 will almost always perform better for connectivity than IPv4.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top