Hi,

I once configured a router to use your DNS recursion servers, but they're now giving out empty responses.
I can't really find any documentation on it anymore, is this service still active?

74.82.42.42 / 2001:470:20::2

Service is alive and well. Since by nature it is anycasted, we need to know which node you are referring to, so we can look at it. Email ipv6@he.net to actually open a troubleticket if it is still and issue, and provide IPv4/IPv6 MTR output to the node.

It is working for me this morning.

Hi,

I once configured a router to use your DNS recursion servers, but they're now giving out empty responses.
I can't really find any documentation on it anymore, is this service still active?

74.82.42.42 / 2001:470:20::2

those who are using nftables firewall in their server, they can add below rule/line in /etc/nftables.conf file:

Code: [Select]

ip protocol 41 ip saddr xx.xx.xx.xx accept
the xx.xx.xx.xx is tunnel broker service provider's endpoint-server's ipv4 address.

insert above rule inside the "inet" or "ip" tables/sections, or in both "inet" & "ip" sections.

if you want to be more specific, then:

Code: [Select]

ip protocol 41 ip saddr xx.xx.xx.xx ip daddr yy.yy.yy.yy accept
the yy.yy.yy.yy is tunnel user's server computer's internet connection's public-side routable ipv4-address . (that is aka, your server's external IPv4-address).

EXTRA INFO:

here is a sample nftables.conf file:

Code: [Select]

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
# ... other sections ...
chain incoming {
type filter hook input priority 0; policy drop;

# Accept any localhost traffic:
iif lo accept

# ICMP handled 1st & to rate limit:
ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate 30/second accept
ip6 nexthdr icmpv6 icmpv6 type echo-request counter drop
ip protocol icmp icmp type echo-request limit rate 30/second accept
ip protocol icmp icmp type echo-request counter drop

# ... For DNS NameServer/Authoritative Server, rate limit rules are here ...

# Accept traffic originated from us (established/related) from this computer:
ct state { established, related } accept

# Accept these ICMP & ICMPv6:
#  usually for initial server setup stage, when hardening server then remove whats not necessary:
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-reply, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept

# Accept IGMP:
ip protocol igmp accept

# Allow HE(HurricaneElectric) 6in4 IPv6-in-IPv4 Tunnel:
ip protocol 41 ip saddr xx.xx.xx.xx ip daddr yy.yy.yy.yy accept

# ip4-adrs of this server, used for all: dns/named/bind/53, sshd/5022, email-related-services, etc:
#   ( the IP-adrs yy.yy.yy.yy which is allotted by Server's ISP or VM/Server-Provider, should be set
#     as a static/fixed address, in Server's primary network-interface thru /etc/interfaces config file )
tcp dport { 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 4190, 5022 } ip daddr yy.yy.yy.yy accept
udp dport { 53, 80, 443, 5022 } ip daddr yy.yy.yy.yy accept

# ip6-adrs N1 & N2 from HE IPv6 subnet, used for: dns/named/bind/53, email-related-services, etc:
tcp dport { 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 4190 } ip6 daddr { IPv6-Adrs-N1, IPv6-Adrs-N2 } accept
udp dport { 53, 80, 443 } ip6 daddr { IPv6-Adrs-N1, IPv6-Adrs-N2 } accept

# ip6-adrs N3 from HE subnet, used for: http/80, https/443, dns/unbound/53, etc:
tcp dport { 53, 80, 443 } ip6 daddr IPv6-Adrs-N3 accept
udp dport { 53, 80, 443 } ip6 daddr IPv6-Adrs-N3 accept

# ... other rules for other services that are running in this server ...

# count and drop any other traffic
counter drop
}

chain outgoing {
type filter hook output priority 0; policy accept;
}

chain forward {
type filter hook forward priority 0; policy drop;
}
}


table ip filter {
chain incoming {
type filter hook input priority 0; policy drop;

ip protocol icmp icmp type echo-request limit rate 30/second accept
ip protocol icmp icmp type echo-request counter drop

ct state { established, related } accept

ip protocol icmp icmp type { destination-unreachable, echo-reply, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept

ip protocol igmp accept

ip protocol 41 ip saddr xx.xx.xx.xx ip daddr yy.yy.yy.yy accept

ip daddr yy.yy.yy.yy tcp dport { 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 4190, 5022 } accept
ip daddr yy.yy.yy.yy udp dport { 53, 80, 443, 5022 } accept

# ... other IP, IPv4 related rules for other services that are running in this server ...

counter drop
}

chain FORWARD {
type filter hook forward priority 0; policy drop;
}

chain outgoing {
type filter hook output priority 0; policy accept;
}
}


table ip6 filter {
chain incoming {
type filter hook input priority 0; policy drop;

ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate 30/second accept
ip6 nexthdr icmpv6 icmpv6 type echo-request counter drop

ct state { established, related } accept

ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept

ip6 daddr { IPv6-Adrs-N1, IPv6-Adrs-N2 } tcp dport { 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 4190 } accept
ip6 daddr { IPv6-Adrs-N1, IPv6-Adrs-N2 } udp dport { 53, 80, 443 } accept

ip6 daddr IPv6-Adrs-N3 tcp dport { 53, 80, 443 } accept
ip6 daddr IPv6-Adrs-N3 udp dport { 53, 80, 443 } accept

# ... other IPv6 rules for other services that are running in this server ...

counter drop
}

chain FORWARD {
type filter hook forward priority 0; policy drop;
}

chain outgoing {
type filter hook output priority 0; policy accept;
}
}


Or maybe one of the admins saw your post as well and adjusted the script in the background

It just started working. Maybe I just needed to give it time to refresh. Thanks for the response though tjeske!

weird. Maybe it doesn't recognize the .club TLD?

Hi I am having the "No AAAA record found" issue when trying to do the Enthusiast test. The domain name I am trying to test with is cxm4176.club which is being hosted in the HE dns system. I believe I am getting a successful answer.

Code: [Select]

dig AAAA cxm4176.club

; <<>> DiG 9.10.6 <<>> AAAA cxm4176.club
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33990
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 8192
;; QUESTION SECTION:
;cxm4176.club. IN AAAA

;; ANSWER SECTION:
cxm4176.club. 86400 IN AAAA 2604:6000:b785:c000:7949:4f71:d23b:6b9c

;; Query time: 160 msec
;; SERVER: 209.18.47.61#53(209.18.47.61)
;; WHEN: Sun Aug 04 12:05:21 EDT 2019
;; MSG SIZE  rcvd: 69

any help would be appreciated

Hello,

Have three nodes with IPv6, 1- Teredo, 1 - Tunnel Broker 6in4, 1 - ISP Native IPv6.

From the TunnelBroker 6in4 can establish an ssh connection to the node using Teredo.

From the ISP to the Teredo node is not accessible.

In looking at the traceroute from the ISP IPv6 to the Teredo node it looks like the traffic gets dropped at a HE.net router.

$ traceroute6 2001:0:53aa:64c:49:7c32:b05f:XXXX
traceroute to 2001:0:53aa:64c:49:7c32:b05f:XXXX (2001:0:53aa:64c:49:7c32:b05f:XXXX), 30 hops max, 80 byte packets
 1  2603-9000-9203-1600-f60e-83ff-fe97-f623.res.spectrum.com (2603:9000:9203:1600:f60e:83ff:fe97:f623)  2.623 ms  41.485 ms  3.849 ms
 2  2603-9000-ff00-0092-0000-0000-0000-0001.res.spectrum.com (2603:9000:ff00:92::1)  19.411 ms  19.467 ms  21.788 ms
 3  2607-f098-1000-4000-0000-0000-0000-003b.res6.spectrum.com (2607:f098:1000:4000::3b)  22.433 ms  22.523 ms  22.539 ms
 4  2607-f098-1000-4000-0000-0000-0000-01cb.res6.spectrum.com (2607:f098:1000:4000::1cb)  27.627 ms  34.500 ms  36.191 ms
 5  2607-f098-10fe-0000-0100-2000-ccc7-006a.res6.spectrum.com (2607:f098:10fe:0:100:2000:ccc7:6a)  29.193 ms *  29.947 ms
 6  2607-f098-10fe-0000-0100-2000-c3c3-0075.res6.spectrum.com (2607:f098:10fe:0:100:2000:c3c3:75)  35.998 ms  17.569 ms  26.418 ms
 7  2001:1998:0:4::16 (2001:1998:0:4::16)  29.133 ms 2001:1998:0:8::258 (2001:1998:0:8::258)  31.342 ms 2001:1998:0:4::16 (2001:1998:0:4::16)  25.168 ms
 8  2001:1998:0:4::189 (2001:1998:0:4::189)  30.645 ms  31.033 ms  30.510 ms
 9  10gigabitethernet9-19.core1.mia1.he.net (2001:470:0:386::1)  29.944 ms  29.594 ms  29.158 ms
10  100ge5-2.core1.tpa1.he.net (2001:470:0:2b3::2)  38.837 ms 100ge11-1.core1.atl1.he.net (2001:470:0:18d::1)  46.465 ms 100ge11-1.core1.jax1.he.net (2001:470:0:450::2)  40.327 ms
11  100ge8-1.core1.ash1.he.net (2001:470:0:114::2)  57.381 ms  43.907 ms  44.449 ms
12  100ge8-1.core1.ash1.he.net (2001:470:0:114::2)  47.799 ms  47.878 ms 6to4.ash1.he.net (2001:470:0:136::2)  46.566 ms
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

Regards,

More info:

from google chrome: http ok but when switching to https timeout during the tls session

Current MTU on HE is 1460