seems still no support yet

Well, which miredo-Server are you using?

Hello,
I use Ubuntu 18.04 and installed miredo to use teredo tunneling.
The HE-SIT tunnel is being blocked by my provider, teredo traffic passes.
The problem is I can't reach some addresses.
Here a working one

Code: [Select]

root@amd-server:~# ping6 golem.de
PING golem.de(golem.de (2a00:13c8:f5::f:4b3d:148)) 56 data bytes
64 bytes from golem.de (2a00:13c8:f5::f:4b3d:148): icmp_seq=1 ttl=60 time=186 ms
64 bytes from golem.de (2a00:13c8:f5::f:4b3d:148): icmp_seq=3 ttl=60 time=48.8 ms
64 bytes from golem.de (2a00:13c8:f5::f:4b3d:148): icmp_seq=4 ttl=60 time=45.2 ms
^C
--- golem.de ping statistics ---
4 packets transmitted, 3 received, 25% packet loss, time 3030ms
rtt min/avg/max/mdev = 45.281/93.633/186.752/65.861 ms
root@amd-server:~#
And a non-working

Code: [Select]

root@amd-server:~# ping6 heise.de
PING heise.de(redirector.heise.de (2a02:2e0:3fe:1001:302::)) 56 data bytes
From amd-server (2001:0:c38c:c38c:2ca5:11cd:dae7:df58) icmp_seq=11 Destination unreachable: Address unreachable
From amd-server (2001:0:c38c:c38c:2ca5:11cd:dae7:df58) icmp_seq=12 Destination unreachable: Address unreachable
^C
--- heise.de ping statistics ---
12 packets transmitted, 0 received, +2 errors, 100% packet loss, time 11231ms

root@amd-server:~#
The IPv6 address is also reachable through my HE-Tunnel on another network, so it is not a problem of the site's config.
There are also more addresses that are not reachable.

Code: [Select]

root@amd-server:~# traceroute6 golem.de
traceroute to golem.de (2a00:13c8:f5::f:4b3d:148) from 2001:0:c38c:c38c:2ca5:11cd:dae7:df58, 30 hops max, 24 byte packets
 1  * * 6to4.ams1.he.net (2001:470:0:190::2)  93,563 ms
 2  10gigabitethernet9.switch2.ams1.he.net (2001:470:0:190::1)  28,658 ms  38,018 ms  41,955 ms
 3  * * *
 4  xe-11-1-0-0.blu1-r2.syseleven.net (2a00:13c8:10:c::)  114,63 ms  43,023 ms  42,636 ms
 5  golem.de (2a00:13c8:f5::f:4b3d:148)  42,342 ms  43,234 ms  40,245 ms
root@amd-server:~#


Code: [Select]

root@amd-server:~# traceroute6 heise.de
traceroute to heise.de (2a02:2e0:3fe:1001:302::) from 2001:0:c38c:c38c:2ca5:11cd:dae7:df58, 30 hops max, 24 byte packets
 1  * * *
 2  * amd-server (2001:0:c38c:c38c:2ca5:11cd:dae7:df58)  0,134 ms !H  0,061 ms !H
root@amd-server:~#


Code: [Select]

root@amd-server:~# ip -6 route show
::1 dev lo proto kernel metric 256 pref medium
2001::/32 dev teredo proto kernel metric 256 pref medium
fe80::/64 dev teredo proto kernel metric 256 pref medium
default dev teredo metric 1029 pref medium
root@amd-server:~#
here from another network with HE tunnel.

Code: [Select]

user@ubuntu-zbook:~$ traceroute6 heise.de
traceroute zu heise.de (2a02:2e0:3fe:1001:302::) von 2001:470:1f0b:3da:c072:62f0:5553:fef, 30 hops max, 24 byte packets
 1  2001:470:1f0b:3da::1 (2001:470:1f0b:3da::1)  6,8088 ms  1,6686 ms  1,4980 ms
 2  tunnel557714.tunnel.tserv6.fra1.ipv6.he.net (2001:470:1f0a:3db::1)  30,2908 ms * *
 3  10ge3-18.core1.fra1.he.net (2001:470:0:69::1)  24,0092 ms  22,9750 ms  26,5066 ms
 4  * * *
 5  * 2a02:2e0:12:19::1 (2a02:2e0:12:19::1)  25,1772 ms  23,0703 ms
 6  2a02:2e0:12:32::2 (2a02:2e0:12:32::2)  23,5675 ms  27,4573 ms *
 7  2a02:2e0:3fe:0:c::1 (2a02:2e0:3fe:0:c::1)  24,2054 ms !X  24,4846 ms !X  24,1571 ms !X
user@ubuntu-zbook:~$

What is the problem here?
Kind regards

It’s possible that notify messages should go to ns[1-5] also, not slave.  As I set up my zones before TSIG was in use here, you’re on your own for any problems with that issue.

Ok.

@snarked: ty!

With yours suggestions, it runs correctly.


 


But, I continue to get a problem when I notify.

Now I use the notification with TSIG, on hmac-sha512.

Code: [Select]

# grep -v '^#' /var/nsd/etc/nsd.conf                                                                                                                                   

server:
hide-version: yes
verbosity: 1
database: "" # disable database

remote-control:
control-enable: yes
control-interface: /var/run/nsd.sock
key:
    name: "name"
    algorithm: hmac-sha512
    secret: "***"
zone:
    name: "stephane-huc.net"
    zonefile: "signed/stephane-huc.net"
    #zonefile: "zones/master/stephane-huc.net"
    # yeuxdelibad/ybad.name
    notify: 93.6.177.187 name
    provide-xfr: 93.6.177.187 name
    # slave.dns.he.net
    notify: 216.218.133.2 name
    provide-xfr: 216.218.133.2 name
    notify: 2001:470:600::2 name
    provide-xfr: 2001:470:600::2 name


I anonymise key name and secret to publish here

I cant reached dns HE, but the DNS "ybad.name" received informations.

Code: [Select]

# nsd-control notify stephane-huc.net                                                                                                                                 
ok

# grep nsd /var/log/messages | tail -n2
Feb 14 13:30:12 omv nsd[21361]: xfrd: zone stephane-huc.net: max notify send count reached, 216.218.133.2 unreachable
Feb 14 13:30:12 omv nsd[21361]: xfrd: zone stephane-huc.net: max notify send count reached, 2001:470:600::2 unreachable

# ping -c3 216.218.133.2
PING 216.218.133.2 (216.218.133.2): 56 data bytes
64 bytes from 216.218.133.2: icmp_seq=0 ttl=64 time=184.365 ms
64 bytes from 216.218.133.2: icmp_seq=1 ttl=64 time=182.789 ms
64 bytes from 216.218.133.2: icmp_seq=2 ttl=64 time=183.714 ms

--- 216.218.133.2 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 182.789/183.622/184.365/0.647 ms

# ping6 -c3 2001:470:600::2
PING 2001:470:600::2 (2001:470:600::2): 56 data bytes
64 bytes from 2001:470:600::2: icmp_seq=0 hlim=64 time=182.012 ms
64 bytes from 2001:470:600::2: icmp_seq=1 hlim=64 time=182.573 ms
64 bytes from 2001:470:600::2: icmp_seq=2 hlim=64 time=182.766 ms

--- 2001:470:600::2 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 182.012/182.450/182.766/0.320 ms



Hey Ryan,

it's more a thought experiment and not of any real practical use. Sorry if I'll not elaborate on how to do this as it's a bit completely and of no substantial use. If you're really interested, try to learn the whole concept of tunnels and protocols. If you have specific questions, I'll gladly help you then.
And no, I don't know of any server. Best would probably be your own vserver somewhere. In that case, just use it as VPN endpoint, no need to setup tunnel endpoint there.

Hello!; I have a connection of 1 Gbps, and I want to test my bandwidth Speedtest, what is the best way to test that I really get 1 Gbps?

You could create an IPv4 tunnel to somewhere else with a public IPv4, and terminate your HE-tunnel there. Oh, hello MTU problems!

Would this be done when configuring the tunnel on Windows? If not how is this done? Also do you have any examples of Servers that can be used for ipv4 tunneling?

Many Thanks

Ryan

DNS over TLS is done with BIND using stunned as a front end.  Too bad it doesn’t have native TLS as it does use the OpenSSL library.

For DoH you'll obviously need an https-server with a valid certificate (LetsEncrypt?) next to bind. Don't know what's needed for DoT.

For DoH, I found this tut:
https://terminaladdict.com/networking/linux/2019/09/13/DoH.html

(late edit: I somehow overlooked what you did there. Really amazing stuff you did with your NAT64 gateway!)