• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

rdns with afraid.org

Started by sixten, May 16, 2008, 05:49:17 PM

Previous topic - Next topic

sixten

Hello

Im new to this, just started to experiment with it.
I've installed ipv6 in winxp and i can browse pages, if i visit http://www.whatismyipv6.net/ it says my ip is: 2001:470:1f14:af::2

Im trying to setup a reverse dns with afraid, and first it asks me for my ipv6 subnet, i assume this is my routed /64 or /48?
Wich btw are:
2001:470:d04d::/48
2001:470:1f15:af::/64

So ive entered them both. Now, next question afraid has is what is my ipv6 ip, and it starts by entering "2001:0470:1f15:00af:" and im supposed to fill out the rest, but to me it makes no sense, http://www.whatismyipv6.net/ said my ip was 2001:470:1f14:af::2 so what am i supposed to write?

karlbrose

Sounds like you're not using your subnets, your box is just using the transit tunnel endpoint IP.
You can't get DNS delegation for that, and if you're not using the subnet, then there isn't much sense in setting up reverse DNS.
I would also recommend learning about DNS first, cf. DNS & BIND (O'Reilly), then those questions will be clearer.

snarked

Quote... Wich btw are:
2001:470:d04d::/48
2001:470:1f15:af::/64

So ive entered them both. Now, next question afraid has is what is my ipv6 ip, and it starts by entering "2001:0470:1f15:00af:" and im supposed to fill out the rest, but to me it makes no sense, ...
First off, you have to enter them as reverse zones:

d.4.0.d.0.7.4.0.1.0.0.2.ip6.arpa
f.a.0.0.5.1.f.1.0.7.4.0.1.0.0.2.ip6.arpa

As far as the remaining 64 bits (for /64) or 80 bits (for /48) go, you have to pick them.

I've never used IPv6 delegation to freedns, so you're on your own for that.

Quote... http://www.whatismyipv6.net/ said my ip was 2001:470:1f14:af::2 so what am i supposed to write?
That's because your system used that address when you visited that site.

avongauss

#3
Actually, afraid.org uses a rather user-friendly interface for IPv6 RDNS to where you only need to enter the prefixes and then you can create the individual hosts without worrying about RDNS zones or formatting. 

I believe karlbrose is correct in that it is using the transit address as the "best" source address rather than the one assigned from the delegated prefix.  If you were running Linux I could tell you how to set the source address and I'm sure Windows XP has the ability as well.  The terms you definitely want to look/google for is "source address". IPV6 and for Windows local prefix policy table. 

I don't have any tunnels on a Windows machine, but I believe if you do the following from a command prompt:

netsh
interface ipv6
show prefixpolicy
add prefixpolicy

You will see the current prefix policies and the syntax of the command(s) you will need to do in order to setup a local policy to prefer the delegated prefix rather than the transit prefix for new outbound connections such as your browser.  Also, if you haven't done so already you will need to add an IPv6 address from your delegated prefix to the adapter, such as 2001:470:1f15:af::10. 

sixten

I got it to work yesterday :)

Basically the reversedns was working fine for my /64 and /48 subnets, freedns.afraid.org is very idiot friendly in its gui setups. But when connecting to for example a ipv6 irc server it would not resolve my desired hostname.
The problem was as most of you already have figured out, i was using the wrong ip adress, the example config tunnelbroker offered was this:
ipv6 install
ipv6 rtu ::/0 2/::216.66.84.46 pub
ipv6 adu 2/2001:470:1f14:af::2

I changed the last line to: ipv6 adu 2/2001:470:1f15:af::2

That way when connecting to something (irc, webpage) i will have this ip: 2001:470:1f15:af::2
And that ip is routed to my nameserver (afraid.org) wich then translates the ip to my desired hostname.

karlbrose

You should not change the tunnel end point address the way you did.
It is an administrative interface and as such the tunnel server side may rely on that address for monitoring of the service. I don't know HE's policy, but it could result in your tunnel being terminated because it would appear as dead as it cannot be pinged.
The correct approach is to add a subnet address to the ethernet interface (or a second address to the tunnel end point if you're not routing the subnet to your ethernet) and then set the source routing policy.

sixten

Quote from: karlbrose on May 19, 2008, 09:38:06 AM
You should not change the tunnel end point address the way you did.
It is an administrative interface and as such the tunnel server side may rely on that address for monitoring of the service. I don't know HE's policy, but it could result in your tunnel being terminated because it would appear as dead as it cannot be pinged.
The correct approach is to add a subnet address to the ethernet interface (or a second address to the tunnel end point if you're not routing the subnet to your ethernet) and then set the source routing policy.

How would i go about doing any of that on winxp? Basically, ipv6 works, nameserver settings works, all i need is for my computer to use one of the routed IP adresses instead of the tunnel client ip that is not routed.

karlbrose

#7
Ok, here is a short how-to:

You can add your first subnet address to the tunnel endpoint with the same command you already used
or (better) this one:

   netsh interface ipv6 add address "your tunnel interface name" 2001:470:1f15:af::1

You can get "your tunnel interface name" with this, it will be in the Name column:

   netsh int ipv6 show interface

Now you need to change the source routing policy for your administrative tunnel end point address.
The command for that is netsh int ipv6 set|add prefixpolicy <address>/length <precedence> <label>

First, learn what the parameters are:
   netsh int ipv6 set prefixpolicy help
   netsh int ipv6 add prefixpolicy help

and learn what your table looks like to begin with:

   netsh int ipv6 show prefixpolicy

You should save that output as a reference.

The command to change the tunnel address policy is:

   netsh int ipv6 add prefixpolicy  2001:470:1f14:af::2/128   5   10

The IP address of course is the client-side tunnel address with its mask length /-appended.
You can change the precedence (5) and label (10) if you wish, but these should work ok.
The important fact is that the label (10) needs to be DIFFERENT than for the rule that matches the destination addresses (i.e. the default route ::/0) for which you want your administrative tunnel end point address hidden. 10 will likely be larger than any of your rules, and should suffice therefore.

Now, I should caution that I haven't actually done this with an HE tunnel on WinXP, I don't have an extra one to play with, but this method of modifying the policy table has worked on FreeBSD and I have tested the principle on WinXP with routed addresses. This also works on Win Vista where I used a go6.net tunnel.  On Vista, the command syntax has slightly changed, for example, "show prefixpolicy" and others are using the plural form (policies).

Another annoyance can be that the policy table sometimes gets wiped out totally with the first "set" command (particularly with Vista). You have to re-enter the whole table in that case.
Here is the standard table and you can cut/paste it right from here.

netsh int ipv6 add prefixpolicy ::1/128         50  0
netsh int ipv6 add prefixpolicy ::/0            40  1
netsh int ipv6 add prefixpolicy 2002::/16       30  2
netsh int ipv6 add prefixpolicy ::/96           20  3
netsh int ipv6 add prefixpolicy ::ffff:0:0/96   10  4
netsh int ipv6 add prefixpolicy 2001::/32        5  5


Another point comes to mind, at least on Vista, I had to assign the subnet address to the tunnel endpoint, whereas I rather have it on the physical interface and leave the tunnel alone for transit. But last time I tried it, it didn't work and would just block IPv6 and use IPv4 instead.

Nota bene: The last rule (precedence 10) specifies how to treat IPv4 traffic, as it is the compatible IPv6 address. If you give it higher precedence over the rule 40, the system will always prefer IPv4 over 6.

Addendum: The command
   netsh int ipv6 reset
will also reset the policy table to its default state.

sixten

Thanks for the effort to explain, really i appriciate it. :)

A couple of things, i have several interfaces relating to ipv6 and i don't really know wich one does what, or why one of them is disconnected.

Idx  Met   MTU    State         Name
---  ----  -----  ------------  -----
  7     2   1280  Disconnected  Teredo Tunneling Pseudo-Interface
  6     0   1500  Connected     Intel 100mbit LAN
  5     0   1500  Connected     VMware Network Adapter VMnet1
  4     0   1500  Connected     VMware Network Adapter VMnet8
  3     1   1280  Connected     6to4 Pseudo-Interface
  2     1   1280  Connected     Automatic Tunneling Pseudo-Interface
  1     0   1500  Connected     Loopback Pseudo-Interface

However, i just picked one out of the bunch and it worked (i think) it changed my ip adress to the one i wanted. I tried the "Automatic Tunneling Pseudo-Interface".

One thing that seems to not work is to reverse lookup my ipv6 adress, using this link everything seems to be exactly right http://tinyurl.com/6cralc
Should it not be possible to just do a nslookup 2001:0470:1f15:00af::2 in winxp? Im pretty sure this worked just a day or two ago, at least the /dns command from mirc did a correct lookup.

Another thing, does these settings get wiped at reboot? Seems like ipv6 stops working when rebooting.

karlbrose

Your rDNS is working fine. Another (better) website for checking from a remote site is this:
   http://www.maths.tcd.ie/cgi-bin/check_dns.pl
They do both reverse and then a forward lookup.

You cannot use nslookup on Windows with a straight address as argument, cf. http://support.microsoft.com/?kbid=200525

Your configuration should remain after a reboot.
The netsh commands have another option that can be specified:  store = active|persistent. The default is 'persistent', whereas 'active' will only live until reboot. There are also options to specify the lifetimes of change, see the help-form of the commands.