- Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.
News:
Welcome to Hurricane Electric's Tunnelbroker.net forums!
Recent posts
#11
General Questions & Suggestions / Re: Zone limits was changed?
Last post by blade5502 - February 25, 2025, 06:42:04 AMGot the same issue
Relog didn't solve it for me
Relog didn't solve it for me
#12
Questions & Answers / strange spam of wpad queries ....
Last post by pmf026 - February 24, 2025, 03:40:00 AMLegend:
216.66.80.90 / 2001:470:27:3be::1 = my tunnel endpoint
2001:470:0:11e::2 = tserv1.sto1.he.net.
2001:470:27:3be::2 my server that being queried for 'wpad' record.
lan.kaillera.ru. is my local network zone (v4+v6)
Question: What might be the cause of this? I mean, everything works fine on my end, and yet there are tons of these in my logs...
216.66.80.90 / 2001:470:27:3be::1 = my tunnel endpoint
2001:470:0:11e::2 = tserv1.sto1.he.net.
2001:470:27:3be::2 my server that being queried for 'wpad' record.
lan.kaillera.ru. is my local network zone (v4+v6)
Question: What might be the cause of this? I mean, everything works fine on my end, and yet there are tons of these in my logs...
Code Select
24-Feb-2025 08:58:39.686 security: info: client @0x7f11bc4d7670 2001:470:0:11e::2#25167 (wpad.lan.kaillera.ru): query 'wpad.lan.kaillera.ru/A/IN' denied
24-Feb-2025 08:58:39.690 security: info: client @0x7f11c853f7d0 216.66.80.90#23548 (wpad.lan.kaillera.ru): query 'wpad.lan.kaillera.ru/AAAA/IN' denied
24-Feb-2025 08:58:39.706 security: info: client @0x7f11c854b740 2001:470:0:11e::2#28185 (wpad.lan.kaillera.ru): query 'wpad.lan.kaillera.ru/A/IN' denied
24-Feb-2025 08:58:39.706 security: info: client @0x7f11cc65a2b0 2001:470:0:11e::2#61861 (wpad.lan.kaillera.ru): query 'wpad.lan.kaillera.ru/AAAA/IN' denied
24-Feb-2025 08:58:39.726 security: info: client @0x7f11bc56ee10 2001:470:0:11e::2#52237 (wpad.lan.kaillera.ru): query 'wpad.lan.kaillera.ru/A/IN' denied
24-Feb-2025 08:58:39.726 security: info: client @0x7f11c44f6c20 2001:470:0:11e::2#17834 (wpad.lan.kaillera.ru): query 'wpad.lan.kaillera.ru/AAAA/IN' denied
24-Feb-2025 09:21:45.448 security: info: client @0x7f11c854ed90 2001:470:0:11e::2#5745 (wpad.lan.kaillera.ru): query 'wpad.lan.kaillera.ru/AAAA/IN' denied
24-Feb-2025 09:21:45.456 security: info: client @0x7f11c853f7d0 216.66.80.90#50366 (wpad.lan.kaillera.ru): query 'wpad.lan.kaillera.ru/A/IN' denied
24-Feb-2025 09:21:45.468 security: info: client @0x7f11cc681580 2001:470:0:11e::2#34186 (wpad.lan.kaillera.ru): query 'wpad.lan.kaillera.ru/AAAA/IN' denied
24-Feb-2025 09:21:45.476 security: info: client @0x7f11c854ed90 2001:470:0:11e::2#11063 (wpad.lan.kaillera.ru): query 'wpad.lan.kaillera.ru/A/IN' denied
24-Feb-2025 09:21:45.484 security: info: client @0x7f11bc4f9e10 2001:470:0:11e::2#17678 (wpad.lan.kaillera.ru): query 'wpad.lan.kaillera.ru/AAAA/IN' denied
24-Feb-2025 09:21:45.492 security: info: client @0x7f11c4537930 2001:470:0:11e::2#40996 (wpad.lan.kaillera.ru): query 'wpad.lan.kaillera.ru/A/IN' denied
24-Feb-2025 09:21:45.504 security: info: client @0x7f11c853f7d0 216.66.80.90#39871 (wpad.lan.kaillera.ru): query 'wpad.lan.kaillera.ru/AAAA/IN' denied
24-Feb-2025 09:21:45.512 security: info: client @0x7f11bc4f9e10 2001:470:0:11e::2#53345 (wpad.lan.kaillera.ru): query 'wpad.lan.kaillera.ru/A/IN' denied
#13
Questions & Answers / Re: I'm getting a HTTP 500 err...
Last post by gnarlymarley - February 22, 2025, 09:00:21 AMCould be a temporary issue with your tunnel end point. Seems to work for me with creating and updating my tunnels. You might want to try another end point.
#14
Suggest a Test! / Local network administrator's ...
Last post by bertofurth - February 22, 2025, 03:46:47 AMI have an idea for an IPv6 network administrator's test.
First the test taker has to specify a /64 prefix that they have control of. Next the test asks the student to configure a host with a static IPv6 address on that network with a specified randomly generated host portion (maybe the first 64 bits of the md5sum of their username so it's constant) The network administrator then has to make sure that they configure their firewall and so forth so that he.net can ping that IPv6 address.
Next, the student must configure a new AAAA record corresponding to the host that was just pinged and he.net will try to resolve that. (After all, they must control a domain if they've passed the other IPv6 tests right?)
Next, a tcp service (any service...telnet, ftp, web, etc) needs to be configured on a random high port number on the host. Even something like "nc" to create a simple service on linux, for example to create a service on tcp port 9999....
while (true) do nc -6 -l 9999; done
Configure the firewall so that he.net can establish a tcp connection (and then disconnect) to confirm that the port is reachable on the host.
Finally have the user reconfigure the firewall so that the host can NOT be pinged (i.e. block ICMPv6 or ICMPv6 echo) but the TCP service must still be reachable. This will prove that the student has basic IPv6 firewall configuration skills and they they haven't just disconnected the host from the network!
Maybe then ask some questions about their local IPv6 network setup such as whether their network only uses SLAAC for address configuration and/or DHCPv6. Ask some questions about the M flag and O flag in the IPv6 RA and how they affect how hosts get configured.
Anyway, just some food for thought. I had a lot of fun setting up the mail server and web service in the other tests and having he.net verify them.
Thanks he.net!
First the test taker has to specify a /64 prefix that they have control of. Next the test asks the student to configure a host with a static IPv6 address on that network with a specified randomly generated host portion (maybe the first 64 bits of the md5sum of their username so it's constant) The network administrator then has to make sure that they configure their firewall and so forth so that he.net can ping that IPv6 address.
Next, the student must configure a new AAAA record corresponding to the host that was just pinged and he.net will try to resolve that. (After all, they must control a domain if they've passed the other IPv6 tests right?)
Next, a tcp service (any service...telnet, ftp, web, etc) needs to be configured on a random high port number on the host. Even something like "nc" to create a simple service on linux, for example to create a service on tcp port 9999....
while (true) do nc -6 -l 9999; done
Configure the firewall so that he.net can establish a tcp connection (and then disconnect) to confirm that the port is reachable on the host.
Finally have the user reconfigure the firewall so that the host can NOT be pinged (i.e. block ICMPv6 or ICMPv6 echo) but the TCP service must still be reachable. This will prove that the student has basic IPv6 firewall configuration skills and they they haven't just disconnected the host from the network!
Maybe then ask some questions about their local IPv6 network setup such as whether their network only uses SLAAC for address configuration and/or DHCPv6. Ask some questions about the M flag and O flag in the IPv6 RA and how they affect how hosts get configured.
Anyway, just some food for thought. I had a lot of fun setting up the mail server and web service in the other tests and having he.net verify them.
Thanks he.net!
#15
General Discussion / Re: Sage T-Shirt
Last post by pcela - February 17, 2025, 07:52:49 AMMy t-shirt status is shipped and I passed my sage certificate in February 2023. It's now February 2025 and I still don't have the t-shirt.
#16
General Questions & Suggestions / ns1,ns2 and ns4 out of sync?
Last post by frleong - February 02, 2025, 05:45:37 PMHello,
Has anyone noticed that ns1.he.net, ns2.he.net and ns4.he.net are out-of-sync from ns3.he.net and ns5.he.net. I mean, I am using these servers as secondary DNS servers, but the ns1, ns2 and ns4 have stopped updating since Jan 29. Also, ns3.he.net does not respond to IPv6 requests.
Francisco
Has anyone noticed that ns1.he.net, ns2.he.net and ns4.he.net are out-of-sync from ns3.he.net and ns5.he.net. I mean, I am using these servers as secondary DNS servers, but the ns1, ns2 and ns4 have stopped updating since Jan 29. Also, ns3.he.net does not respond to IPv6 requests.
Francisco
#17
General Questions & Suggestions / Re: California University Syst...
Last post by jonathanlee571 - January 31, 2025, 07:39:36 AMThe other thing is the if it is not broken don't fix it thought process as ipv4 works perfectly why spend money on it right? I just keep thinking about how every smartphone has it already, so a smartphone connected to the Wi-Fi would have both versions running anyway, so why not add in the ipv6 right as a security precaution. Who knows.
#18
General Questions & Suggestions / Re: California University Syst...
Last post by jonathanlee571 - January 31, 2025, 07:36:54 AMMy IPS/IDS (intrusion detection, intrusion prevention system) rarely sees issues on ipv6, it does see them because every once and a while it spots one and blocks it, when juxtaposed to ipv4 there is tons of detections and blocks and abuse. It just seems logical that the version with less abuse would be more ideal.
#19
General Questions & Suggestions / Re: California University Syst...
Last post by Pentium4User - January 30, 2025, 08:32:40 AMLazy admins, managers who don't want it, no time, or "no need".
#20
General Questions & Suggestions / California University System
Last post by jonathanlee571 - January 30, 2025, 08:25:21 AMI was wondering if anyone can explain why a major University would not support or deploy ipv6 yet? I was told about ipv6 back in the 2000-2002 at RTI (regional technical institute) that it was going to replace everything. 2025 it still seems to be delayed and even blocked. Does anyone know what risks are associated with ipv6, and or why a university would choose to not utilize the newer protocol? It seems all of my smartphones are now using this, it is not just an ISP thing, as there are ways to get ipv6 by way of a broker (California based tunnel broker), so why not use it? Why would the university system not use it however allow smartphones to use it?