- Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.
News:
Welcome to Hurricane Electric's Tunnelbroker.net forums!
Recent posts
#11
Questions & Answers / HE Tunnelbroker IP's marked as...
Last post by cshilton - October 27, 2025, 01:32:37 PMThis morning I tried to look at my local brewery's event schedule. I was immediately met by a page saying that my location was not served by the brewery's web site. Since I've been an tunnelborker user for many years, my first debugging move was to turn off ipv6 on my laptop and revisit the site. At the end of the day the problem turned out to be visiting: https://app.blocky-app.com from my IPv6 address over the HE tunnel. Since I have both controls for both IP addresses and DNS lookups at my edge, it was pretty simple to reconfigure the edge so I visit this site by IPv4 only. I should also note that these block came against my /48 allocation, not the far more often plagued automatic /64.
If the claim here is that tunnelbroker IPv6 blocks were used for fraud, I can't deny that as they were ten years ago but, I today, chalk this up to simple IPv4 centric zenophobia.
I wonder if we should setup a sticky thread of similarly IPv4 centric sites?
If the claim here is that tunnelbroker IPv6 blocks were used for fraud, I can't deny that as they were ten years ago but, I today, chalk this up to simple IPv4 centric zenophobia.
I wonder if we should setup a sticky thread of similarly IPv4 centric sites?
#12
General Questions & Suggestions / Re: Updating AAAA records when...
Last post by jschmedes - October 22, 2025, 07:13:34 AMOne option is to update the AAAA records using a dynamic DNS client / API call.
https://dns.he.net/ supports dynamic AAAA records. The homepage has examples.
https://dns.he.net/ supports dynamic AAAA records. The homepage has examples.
#13
Questions & Answers / Re: Moved to AT&T Fiber, tunne...
Last post by jschmedes - October 22, 2025, 06:46:57 AMRather than disable native IPv6 to set up 6in4, just use native IPv6. Native is better than any IPv6 transition mechanisms.
#14
General Questions & Suggestions / NOTIFY to ns1.he.net returns R...
Last post by dereckson - October 20, 2025, 03:35:30 PMRecently, we set up a DNS server to manage our nasqueron.org. domain as code.
We are using Knot DNS as the primary server for our zone nasqueron.org, with Hurricane Electric's DNS service as secondaries.
I've noticed DNS NOTIFY requests don't reach HE.
Our configuration sends NOTIFY messages to ns1.he.net. However, Knot logs the following warning:
Oct 18 20:54:37 dns-001 knot[24217]: warning: [nasqueron.org.] notify, outgoing, remote 216.218.130.2@53 TCP, server responded with error 'REFUSED'
The NOTIFY is sent correctly, but the HE secondary refuses it.
The zone is correctly declared on https://dns.he.net as a secondary zone, with our primary server configured under "Master Servers".
We'd like to confirm if we can send a NOTIFY request in TCP (initial RFC recommends UDP, Knot only implements TCP) or if you see something odd in this configuration.
AXFR polling works correctly.
Thanks in advance for your assistance and for providing such a reliable DNS secondary service.
Primary DNS server setup
* knotd, Knot DNS 3.4.8
* notify sent to 216.218.130.2 and 2001:470:100::2 (ns1.he.net addresses)
* SOA serial bumped (YYYYMMDDNN format)
* Full server configuration: knot.conf
* Zone (SOA record is at the top): nasqueron.org.zone
We are using Knot DNS as the primary server for our zone nasqueron.org, with Hurricane Electric's DNS service as secondaries.
I've noticed DNS NOTIFY requests don't reach HE.
Our configuration sends NOTIFY messages to ns1.he.net. However, Knot logs the following warning:
Oct 18 20:54:37 dns-001 knot[24217]: warning: [nasqueron.org.] notify, outgoing, remote 216.218.130.2@53 TCP, server responded with error 'REFUSED'
The NOTIFY is sent correctly, but the HE secondary refuses it.
The zone is correctly declared on https://dns.he.net as a secondary zone, with our primary server configured under "Master Servers".
We'd like to confirm if we can send a NOTIFY request in TCP (initial RFC recommends UDP, Knot only implements TCP) or if you see something odd in this configuration.
AXFR polling works correctly.
Thanks in advance for your assistance and for providing such a reliable DNS secondary service.
Primary DNS server setup
* knotd, Knot DNS 3.4.8
* notify sent to 216.218.130.2 and 2001:470:100::2 (ns1.he.net addresses)
* SOA serial bumped (YYYYMMDDNN format)
* Full server configuration: knot.conf
* Zone (SOA record is at the top): nasqueron.org.zone
#15
Questions & Answers / Azure filtering IPv6 requests?
Last post by humeipv6 - October 13, 2025, 11:04:13 AMI've been noticing performance problems with MS-related traffic, like Teams logins and websites that make use of Azure's CDN. After some investigation, it looks as though the Azure CDN will accept connections, but then the request times out. For example:
$ curl -vk ecom-cdn.afd.azureedge.net
* Trying [2620:1ec:bdf::51]:80...
* Connected to ecom-cdn.afd.azureedge.net (2620:1ec:bdf::51) port 80 (#0)
> GET / HTTP/1.1
> Host: ecom-cdn.afd.azureedge.net
> User-Agent: curl/7.88.1
> Accept: */*
>
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer
This happens pretty consistently on all IPs in my Tunnelbroker /48. It does NOT happen from my workplace, which has its own IPv6 block.
I know some ISPs have marked tunnelbroker blocks as hostile. At this point I'm just curious if anyone else has noticed similar behaviour from MS.
$ curl -vk ecom-cdn.afd.azureedge.net
* Trying [2620:1ec:bdf::51]:80...
* Connected to ecom-cdn.afd.azureedge.net (2620:1ec:bdf::51) port 80 (#0)
> GET / HTTP/1.1
> Host: ecom-cdn.afd.azureedge.net
> User-Agent: curl/7.88.1
> Accept: */*
>
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer
This happens pretty consistently on all IPs in my Tunnelbroker /48. It does NOT happen from my workplace, which has its own IPv6 block.
I know some ISPs have marked tunnelbroker blocks as hostile. At this point I'm just curious if anyone else has noticed similar behaviour from MS.
#16
General Questions & Suggestions / Updating AAAA records when a d...
Last post by BiloxiGeek - September 06, 2025, 06:42:00 AMIs there a best practice method for updating multiple AAAA records when/if the /64 prefix delegation I'm getting from AT&T changes? I've read that an A6 record used to be in place for this sort of thing but near as I can tell it's now obsolete.
#17
Questions & Answers / Re: Moved to AT&T Fiber, tunne...
Last post by XQZR - September 05, 2025, 08:46:55 AM #18
Questions & Answers / Re: Moved to AT&T Fiber, tunne...
Last post by BiloxiGeek - August 31, 2025, 06:44:09 AMI've come to the conclusion that AT&T actively blocks all protocol 41 packets upstream from the fiber modem for residential internet. Doesn't seem to be any way around that at least as far as I've found. I spent an hour or more chatting with support and after finally teaching the tech what 41 is for and why it's needed for 6in4 tunnels they came to the conclusion that's just how the network is and they can't allow the packets through.
Since it's AT&T I suspect that's so they can charge extra by making customers switch to business accounts and/or get static IP setup.
Since it's AT&T I suspect that's so they can charge extra by making customers switch to business accounts and/or get static IP setup.
#19
IPv6 on Linux & BSD & Mac / script for automatic tests of ...
Last post by chandro - August 29, 2025, 01:05:37 PMwell, pretty shure many of you have already done all, but for the ones that stills behind, here is a simple script for linux
https://github.com/chandro/henet
it will do the daily tests automatically if you configure it with crontab.
yeah there where many versions, i update it to this one, and is working.
Alex.
https://github.com/chandro/henet
it will do the daily tests automatically if you configure it with crontab.
yeah there where many versions, i update it to this one, and is working.
Alex.
#20
Questions & Answers / Moved to AT&T Fiber, tunnel br...
Last post by BiloxiGeek - August 26, 2025, 09:18:00 AMRecently moved from a cable modem with a tunnel setup that was working to AT&T fiber and now I can't get the tunnel working. I've put the fiber modem (BGW320) into passthrough mode, disabled the IPv6 and it's firewall.
I got this set this up on a Netgate pfSense appliance (SG2100) and it was working just fine on the cable modem. I've poked around in the pfSense and I don't see anything that seems to be set differently now or needs to be set differently. Is there something about this fiber modem that will block a tunnel from working?
I got this set this up on a Netgate pfSense appliance (SG2100) and it was working just fine on the cable modem. I've poked around in the pfSense and I don't see anything that seems to be set differently now or needs to be set differently. Is there something about this fiber modem that will block a tunnel from working?