- Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.
News:
Welcome to Hurricane Electric's Tunnelbroker.net forums!
Recent posts
#11
Questions & Answers / Re: Changing tunnel servers
Last post by ertyu - November 04, 2025, 05:15:30 PMWhen I've changed tunnel servers in the past it did involve renumbering.
I believe you can have multiple active tunnels.
I believe you can have multiple active tunnels.
#12
Questions & Answers / Changing tunnel servers
Last post by cshilton - November 04, 2025, 07:39:20 AMSince I've switched ISPs from Optimum to Frontier, it's looking like my closest tunnel server has changed from New York City to Ashburn Virginia. A quick traceroute to each shows NYC at 15ms and Ashburn at about 9ms. My reason for looking into this is that last night I noticed that there was a temporary problem with my link between my VA net egress and NYC tunnel servers. My ping times to Google, Yahoo, etc, shot up to 150ms. The problem is fixed this morning. And don't take my amateur's diagnosis on the location of the problem. But, it looks like it's probably worthwhile to change.
Q: When I change tunnel servers I also have to get a new /48?
This means renumbering the network which means renumbering the handful of static assignments that I've made.
Q: Can I keep two tunnels up for a weeks or two while I shake out potential problems?
Q: When I change tunnel servers I also have to get a new /48?
This means renumbering the network which means renumbering the handful of static assignments that I've made.
Q: Can I keep two tunnels up for a weeks or two while I shake out potential problems?
#13
Questions & Answers / Seattle Packet Loss
Last post by ertyu - November 01, 2025, 11:24:10 AMI'm seeing ~25% packet loss on some routes from Seattle tunnel server. Started about 19 hours ago.
#14
Questions & Answers / Re: BGP tunnel no longer annou...
Last post by Haveanukacola - October 30, 2025, 10:01:19 AMIll look in to it if I'm able too
#15
Questions & Answers / BGP tunnel no longer announcin...
Last post by sesse - October 28, 2025, 12:31:08 PMHi,
I have a BGP tunnel to Frankfurt, and since last Monday or so, my network seems to no longer be announced; I get lots of routes from HE, and can send out packets, but outside networks don't see my route, so I cannot get anything back. (Well, if I ping my link address for the BGP, it works just fine!)
I've tried emailing he@ipv6.net, but no response except the automatic "a case has been created". Does anyone know what's going on?
I have a BGP tunnel to Frankfurt, and since last Monday or so, my network seems to no longer be announced; I get lots of routes from HE, and can send out packets, but outside networks don't see my route, so I cannot get anything back. (Well, if I ping my link address for the BGP, it works just fine!)
I've tried emailing he@ipv6.net, but no response except the automatic "a case has been created". Does anyone know what's going on?
#16
Questions & Answers / HE Tunnelbroker IP's marked as...
Last post by cshilton - October 27, 2025, 01:32:37 PMThis morning I tried to look at my local brewery's event schedule. I was immediately met by a page saying that my location was not served by the brewery's web site. Since I've been an tunnelborker user for many years, my first debugging move was to turn off ipv6 on my laptop and revisit the site. At the end of the day the problem turned out to be visiting: https://app.blocky-app.com from my IPv6 address over the HE tunnel. Since I have both controls for both IP addresses and DNS lookups at my edge, it was pretty simple to reconfigure the edge so I visit this site by IPv4 only. I should also note that these block came against my /48 allocation, not the far more often plagued automatic /64.
If the claim here is that tunnelbroker IPv6 blocks were used for fraud, I can't deny that as they were ten years ago but, I today, chalk this up to simple IPv4 centric zenophobia.
I wonder if we should setup a sticky thread of similarly IPv4 centric sites?
If the claim here is that tunnelbroker IPv6 blocks were used for fraud, I can't deny that as they were ten years ago but, I today, chalk this up to simple IPv4 centric zenophobia.
I wonder if we should setup a sticky thread of similarly IPv4 centric sites?
#17
General Questions & Suggestions / Re: Updating AAAA records when...
Last post by jschmedes - October 22, 2025, 07:13:34 AMOne option is to update the AAAA records using a dynamic DNS client / API call.
https://dns.he.net/ supports dynamic AAAA records. The homepage has examples.
https://dns.he.net/ supports dynamic AAAA records. The homepage has examples.
#18
Questions & Answers / Re: Moved to AT&T Fiber, tunne...
Last post by jschmedes - October 22, 2025, 06:46:57 AMRather than disable native IPv6 to set up 6in4, just use native IPv6. Native is better than any IPv6 transition mechanisms.
#19
General Questions & Suggestions / NOTIFY to ns1.he.net returns R...
Last post by dereckson - October 20, 2025, 03:35:30 PMRecently, we set up a DNS server to manage our nasqueron.org. domain as code.
We are using Knot DNS as the primary server for our zone nasqueron.org, with Hurricane Electric's DNS service as secondaries.
I've noticed DNS NOTIFY requests don't reach HE.
Our configuration sends NOTIFY messages to ns1.he.net. However, Knot logs the following warning:
Oct 18 20:54:37 dns-001 knot[24217]: warning: [nasqueron.org.] notify, outgoing, remote 216.218.130.2@53 TCP, server responded with error 'REFUSED'
The NOTIFY is sent correctly, but the HE secondary refuses it.
The zone is correctly declared on https://dns.he.net as a secondary zone, with our primary server configured under "Master Servers".
We'd like to confirm if we can send a NOTIFY request in TCP (initial RFC recommends UDP, Knot only implements TCP) or if you see something odd in this configuration.
AXFR polling works correctly.
Thanks in advance for your assistance and for providing such a reliable DNS secondary service.
Primary DNS server setup
* knotd, Knot DNS 3.4.8
* notify sent to 216.218.130.2 and 2001:470:100::2 (ns1.he.net addresses)
* SOA serial bumped (YYYYMMDDNN format)
* Full server configuration: knot.conf
* Zone (SOA record is at the top): nasqueron.org.zone
We are using Knot DNS as the primary server for our zone nasqueron.org, with Hurricane Electric's DNS service as secondaries.
I've noticed DNS NOTIFY requests don't reach HE.
Our configuration sends NOTIFY messages to ns1.he.net. However, Knot logs the following warning:
Oct 18 20:54:37 dns-001 knot[24217]: warning: [nasqueron.org.] notify, outgoing, remote 216.218.130.2@53 TCP, server responded with error 'REFUSED'
The NOTIFY is sent correctly, but the HE secondary refuses it.
The zone is correctly declared on https://dns.he.net as a secondary zone, with our primary server configured under "Master Servers".
We'd like to confirm if we can send a NOTIFY request in TCP (initial RFC recommends UDP, Knot only implements TCP) or if you see something odd in this configuration.
AXFR polling works correctly.
Thanks in advance for your assistance and for providing such a reliable DNS secondary service.
Primary DNS server setup
* knotd, Knot DNS 3.4.8
* notify sent to 216.218.130.2 and 2001:470:100::2 (ns1.he.net addresses)
* SOA serial bumped (YYYYMMDDNN format)
* Full server configuration: knot.conf
* Zone (SOA record is at the top): nasqueron.org.zone
#20
Questions & Answers / Azure filtering IPv6 requests?
Last post by humeipv6 - October 13, 2025, 11:04:13 AMI've been noticing performance problems with MS-related traffic, like Teams logins and websites that make use of Azure's CDN. After some investigation, it looks as though the Azure CDN will accept connections, but then the request times out. For example:
$ curl -vk ecom-cdn.afd.azureedge.net
* Trying [2620:1ec:bdf::51]:80...
* Connected to ecom-cdn.afd.azureedge.net (2620:1ec:bdf::51) port 80 (#0)
> GET / HTTP/1.1
> Host: ecom-cdn.afd.azureedge.net
> User-Agent: curl/7.88.1
> Accept: */*
>
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer
This happens pretty consistently on all IPs in my Tunnelbroker /48. It does NOT happen from my workplace, which has its own IPv6 block.
I know some ISPs have marked tunnelbroker blocks as hostile. At this point I'm just curious if anyone else has noticed similar behaviour from MS.
$ curl -vk ecom-cdn.afd.azureedge.net
* Trying [2620:1ec:bdf::51]:80...
* Connected to ecom-cdn.afd.azureedge.net (2620:1ec:bdf::51) port 80 (#0)
> GET / HTTP/1.1
> Host: ecom-cdn.afd.azureedge.net
> User-Agent: curl/7.88.1
> Accept: */*
>
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer
This happens pretty consistently on all IPs in my Tunnelbroker /48. It does NOT happen from my workplace, which has its own IPv6 block.
I know some ISPs have marked tunnelbroker blocks as hostile. At this point I'm just curious if anyone else has noticed similar behaviour from MS.