- Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.
News:
Welcome to Hurricane Electric's Tunnelbroker.net forums!
Recent posts
#1
Questions & Answers / Re: BGP tunnel no longer annou...
Last post by Haveanukacola - October 30, 2025, 10:01:19 AMIll look in to it if I'm able too
#2
Questions & Answers / BGP tunnel no longer announcin...
Last post by sesse - October 28, 2025, 12:31:08 PMHi,
I have a BGP tunnel to Frankfurt, and since last Monday or so, my network seems to no longer be announced; I get lots of routes from HE, and can send out packets, but outside networks don't see my route, so I cannot get anything back. (Well, if I ping my link address for the BGP, it works just fine!)
I've tried emailing he@ipv6.net, but no response except the automatic "a case has been created". Does anyone know what's going on?
I have a BGP tunnel to Frankfurt, and since last Monday or so, my network seems to no longer be announced; I get lots of routes from HE, and can send out packets, but outside networks don't see my route, so I cannot get anything back. (Well, if I ping my link address for the BGP, it works just fine!)
I've tried emailing he@ipv6.net, but no response except the automatic "a case has been created". Does anyone know what's going on?
#3
Questions & Answers / HE Tunnelbroker IP's marked as...
Last post by cshilton - October 27, 2025, 01:32:37 PMThis morning I tried to look at my local brewery's event schedule. I was immediately met by a page saying that my location was not served by the brewery's web site. Since I've been an tunnelborker user for many years, my first debugging move was to turn off ipv6 on my laptop and revisit the site. At the end of the day the problem turned out to be visiting: https://app.blocky-app.com from my IPv6 address over the HE tunnel. Since I have both controls for both IP addresses and DNS lookups at my edge, it was pretty simple to reconfigure the edge so I visit this site by IPv4 only. I should also note that these block came against my /48 allocation, not the far more often plagued automatic /64.
If the claim here is that tunnelbroker IPv6 blocks were used for fraud, I can't deny that as they were ten years ago but, I today, chalk this up to simple IPv4 centric zenophobia.
I wonder if we should setup a sticky thread of similarly IPv4 centric sites?
If the claim here is that tunnelbroker IPv6 blocks were used for fraud, I can't deny that as they were ten years ago but, I today, chalk this up to simple IPv4 centric zenophobia.
I wonder if we should setup a sticky thread of similarly IPv4 centric sites?
#4
General Questions & Suggestions / Re: Updating AAAA records when...
Last post by jschmedes - October 22, 2025, 07:13:34 AMOne option is to update the AAAA records using a dynamic DNS client / API call.
https://dns.he.net/ supports dynamic AAAA records. The homepage has examples.
https://dns.he.net/ supports dynamic AAAA records. The homepage has examples.
#5
Questions & Answers / Re: Moved to AT&T Fiber, tunne...
Last post by jschmedes - October 22, 2025, 06:46:57 AMRather than disable native IPv6 to set up 6in4, just use native IPv6. Native is better than any IPv6 transition mechanisms.
#6
General Questions & Suggestions / NOTIFY to ns1.he.net returns R...
Last post by dereckson - October 20, 2025, 03:35:30 PMRecently, we set up a DNS server to manage our nasqueron.org. domain as code.
We are using Knot DNS as the primary server for our zone nasqueron.org, with Hurricane Electric's DNS service as secondaries.
I've noticed DNS NOTIFY requests don't reach HE.
Our configuration sends NOTIFY messages to ns1.he.net. However, Knot logs the following warning:
Oct 18 20:54:37 dns-001 knot[24217]: warning: [nasqueron.org.] notify, outgoing, remote 216.218.130.2@53 TCP, server responded with error 'REFUSED'
The NOTIFY is sent correctly, but the HE secondary refuses it.
The zone is correctly declared on https://dns.he.net as a secondary zone, with our primary server configured under "Master Servers".
We'd like to confirm if we can send a NOTIFY request in TCP (initial RFC recommends UDP, Knot only implements TCP) or if you see something odd in this configuration.
AXFR polling works correctly.
Thanks in advance for your assistance and for providing such a reliable DNS secondary service.
Primary DNS server setup
* knotd, Knot DNS 3.4.8
* notify sent to 216.218.130.2 and 2001:470:100::2 (ns1.he.net addresses)
* SOA serial bumped (YYYYMMDDNN format)
* Full server configuration: knot.conf
* Zone (SOA record is at the top): nasqueron.org.zone
We are using Knot DNS as the primary server for our zone nasqueron.org, with Hurricane Electric's DNS service as secondaries.
I've noticed DNS NOTIFY requests don't reach HE.
Our configuration sends NOTIFY messages to ns1.he.net. However, Knot logs the following warning:
Oct 18 20:54:37 dns-001 knot[24217]: warning: [nasqueron.org.] notify, outgoing, remote 216.218.130.2@53 TCP, server responded with error 'REFUSED'
The NOTIFY is sent correctly, but the HE secondary refuses it.
The zone is correctly declared on https://dns.he.net as a secondary zone, with our primary server configured under "Master Servers".
We'd like to confirm if we can send a NOTIFY request in TCP (initial RFC recommends UDP, Knot only implements TCP) or if you see something odd in this configuration.
AXFR polling works correctly.
Thanks in advance for your assistance and for providing such a reliable DNS secondary service.
Primary DNS server setup
* knotd, Knot DNS 3.4.8
* notify sent to 216.218.130.2 and 2001:470:100::2 (ns1.he.net addresses)
* SOA serial bumped (YYYYMMDDNN format)
* Full server configuration: knot.conf
* Zone (SOA record is at the top): nasqueron.org.zone
#7
Questions & Answers / Azure filtering IPv6 requests?
Last post by humeipv6 - October 13, 2025, 11:04:13 AMI've been noticing performance problems with MS-related traffic, like Teams logins and websites that make use of Azure's CDN. After some investigation, it looks as though the Azure CDN will accept connections, but then the request times out. For example:
$ curl -vk ecom-cdn.afd.azureedge.net
* Trying [2620:1ec:bdf::51]:80...
* Connected to ecom-cdn.afd.azureedge.net (2620:1ec:bdf::51) port 80 (#0)
> GET / HTTP/1.1
> Host: ecom-cdn.afd.azureedge.net
> User-Agent: curl/7.88.1
> Accept: */*
>
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer
This happens pretty consistently on all IPs in my Tunnelbroker /48. It does NOT happen from my workplace, which has its own IPv6 block.
I know some ISPs have marked tunnelbroker blocks as hostile. At this point I'm just curious if anyone else has noticed similar behaviour from MS.
$ curl -vk ecom-cdn.afd.azureedge.net
* Trying [2620:1ec:bdf::51]:80...
* Connected to ecom-cdn.afd.azureedge.net (2620:1ec:bdf::51) port 80 (#0)
> GET / HTTP/1.1
> Host: ecom-cdn.afd.azureedge.net
> User-Agent: curl/7.88.1
> Accept: */*
>
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer
This happens pretty consistently on all IPs in my Tunnelbroker /48. It does NOT happen from my workplace, which has its own IPv6 block.
I know some ISPs have marked tunnelbroker blocks as hostile. At this point I'm just curious if anyone else has noticed similar behaviour from MS.
#8
General Questions & Suggestions / Updating AAAA records when a d...
Last post by BiloxiGeek - September 06, 2025, 06:42:00 AMIs there a best practice method for updating multiple AAAA records when/if the /64 prefix delegation I'm getting from AT&T changes? I've read that an A6 record used to be in place for this sort of thing but near as I can tell it's now obsolete.
#9
Questions & Answers / Re: Moved to AT&T Fiber, tunne...
Last post by XQZR - September 05, 2025, 08:46:55 AM #10
Questions & Answers / Re: Moved to AT&T Fiber, tunne...
Last post by BiloxiGeek - August 31, 2025, 06:44:09 AMI've come to the conclusion that AT&T actively blocks all protocol 41 packets upstream from the fiber modem for residential internet. Doesn't seem to be any way around that at least as far as I've found. I spent an hour or more chatting with support and after finally teaching the tech what 41 is for and why it's needed for 6in4 tunnels they came to the conclusion that's just how the network is and they can't allow the packets through.
Since it's AT&T I suspect that's so they can charge extra by making customers switch to business accounts and/or get static IP setup.
Since it's AT&T I suspect that's so they can charge extra by making customers switch to business accounts and/or get static IP setup.