• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Google forcing ReCAPTCHA on all searches from my HE assigned IPv6 address

Started by cshilton, May 31, 2023, 01:58:14 PM

Previous topic - Next topic


Having similar issues, sad to see a bunch of sites blocking ipv6 tunnels, my ISP is absolutely refusing to implement any form of ipv6 so using the HE tunnel is the only way for my network to get it.


well, I've gotten 403 as well. ipv4 search works, ipv6 through the tunnelbroker gets error 403 (forbidden). It literally happened within the last couple of hours or so. When recaptcha problem hit, tunnelbroker support said they are working on it with google, I guess everything fell through after all


I have 5 tunnels and all of them are getting the same "Your client does not have permission to get URL / " from Google Search.

I was very concerned, I was getting the captcha 2 weeks ago, and then last week it stopped. Now no one in our business locations or home is able to do Google search unless we enter something in /etc/hosts.

I was concerned we had some rouge boxes or systems, we are not a large company, but have a number of systems running, thought maybe someone's phone or tablet may have had some extension installed that could have been causing this.

We configured some Sflows to monitor traffic to Google, but the traffic was not showing any strange use or a high number of requests for searches.

I did a check also from my hosted servers that have tunnels and all of the same issues.

I would hope that Hurricane Electric might be aware of this problem and get some communication into Google support. We are a business customer and Google refuses to speak to us on this issue.

]I guess it would be best to put in a ticket into HE, I do know, HE responds very quickly to requests or concerns.


Quote from: linuxsrc on June 21, 2023, 07:15:13 AM]I guess it would be best to put in a ticket into HE, I do know, HE responds very quickly to requests or concerns.

Not so much lately. I've sent them a message a couple of weeks ago on a different issue, they did respond by saying go deal with it yourself, refusing to answer any follow up question. Today, I emailed them about this and there was 0 response in the few hours since. Finally, when I asked them about the captcha situation 3 weeks ago, they said they are talking to google or so but apparently that didn't work out after all.


I'm really wondering if this is the end for my IPv6 with HE.  I have a customer that using HE and I use it as well.  I hope this is not the case as I can't get a /64 with CenturyLink.  I'm in Denver, USA.

It would be nice if HE posted status updates on this thread.


I can confirm. I am having the same issues with Google responding with a 403 for all base URLs. I also had it forcing re-captcha for a couple weeks.


Same here, 403.
I didn't realize that the re-captcha issue was caused by this (till now)


Same problem here (reCaptcha and 403 now). Got the following reply after contacting HE at ipv6@he.net:

QuoteThank you for reaching out. We are aware of the issue and are working with Google to resolve it.


I had to disable the tunnel again as this was becoming problematic, and I did not feel inclined to start trying to hunt down every possible Google domain in order to put a firewall rule in place to block them.

I had not yet visited here yet so I didn't know if others were experiencing the same, but I also started to get numerous "403 Forbidden" errors as well from Google when attempting to use Google Search via IPv6. This followed a few months of getting forcibly signed out of Google Workspace accounts due to what Google termed as "suspicious activity" (though I could not identify anything), and experiencing numerous reCAPTCHA requests from Google last week.



What I do with Firefox is about:config |  network.dns.ipv4OnlyDomains
Enter:  .google.com

There is no setting in Chrome that I know of to do this same function.
This is very annoying on Android phones.  On Android you can switch to Firefox Beta and enter that setting.

This type of stunt from Google is disgusting and shows what a "heavy hand" they have.


Same issue here.  There's a setting in Chrome Enterprise version, https://chromeenterprise.google/policies/#BuiltInDnsClientEnabled that disables chrome's built-in DNS client.  You also have to disable https://chromeenterprise.google/policies/#DnsOverHttpsMode policy as well.  At that point I speculate that if you do a DNS resolver override on your firewall (if you have that option) to point the google.com domain at an external IPv4 resolver such as it may force the connection down to IPv4 outside the IPv6 tunnel.  Haven't tried it yet but plan to in the next few days.  Very frustrating, and I agree, Google has gone fully off the rails on this.  Side note, HE.net support has been very quick to respond to my support emails.  Hopefully they have some luck getting Google to change this back.  Otherwise it's DuckDuckGo FTW.


Same via EE broadband in the UK. Tunnelbroker connections to Google search come back with error 403. Turning off IPv6 in the client, leaving IPv4 only, restores working page.


Quote from: Jenick on June 21, 2023, 09:20:44 PMAt that point I speculate that if you do a DNS resolver override on your firewall

Simply blocking AAAA resolution for *.google.com (and optionally *.google.<country_code>) in Unbound resolver (plus blocking/disabling DoH/DoT) on firewall works, leaving IPv6 usable for the rest of the net. People using pfSense + pfBlockerNG can test this easily.


Same here.  Google searches do not work for me over my HE assigned IPv6.
I get the 403 "Your client does not have permission to get URL" message.

A week or two ago, I was getting a different error message but I didn't write it down.

Google searches over an IPv4-only machine work fine.