Which takes priority, ipv4, or ipv6?

[Richmond]

I have configured an ipv6 tunnel. If I visit this site:

http://ip6.me/

The "normal" test shows my ipv4 address, and the:

http://ip6only.me/

shows the ipv6 address.

However if I switch my DNS from opendns to the one provided by my ISP
and then run the "normal" test it shows the ipv6.

The note says:

(preference depends on your OS/client)

So how is the preference determined? It seems to be determined by the
DNS, but why or how do I tell for example with host -v?

[Jeremy Ardley]

On 27/3/23 19:48, Richmond wrote:
>
> So how is the preference determined? It seems to be determined by the
> DNS, but why or how do I tell for example with host -v?

When you as a DNS about a hostname it can return an A record and/or an
AAAA record.

The A record is IPv4 and the AAAA record is IPv6

When you get both it is then up to your application to choose IPv4 or
IPv6 for the connection.

If either fails the application will then try the other before finally
failing.

You need a DNS that can return A and AAAA records, and an application
that can use either.

I have noticed in my debian LAN that utilities such as ssh prefer IPv6
and if that is not possible will use IPv4

--
Jeremy
(Lists)

[Vincent Lefevre]

It appears to be random (based on past tests).

But one can set the preference via "/etc/gai.conf". In particular:

# For sites which prefer IPv4 connections change the last line to
#
#precedence ::ffff:0:0/96 100

I had to uncomment this line in the past when I had IPv6 issues.

--
Vincent Lefèvre <vin...@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

[Jeremy Ardley]

On 27/3/23 20:05, Richmond wrote:
> Jeremy Ardley <jer...@ardley.org> writes:
>
>
> Both DNS return AAAA records. I am not sure why this choice of DNS
> should make a difference.
>
> host -v ip6.me |grep AAAA
> IN AAAA
> 9306 IN AAAA 2001:4838:0:1b::201
> host -v ip6.me 8.8.8.8|grep AAAA
> IN AAAA
> 10800 IN AAAA 2001:4838:0:1b::201
> host -v ip6.me 79.79.79.78|grep AAAA
> IN AAAA
> 300 IN AAAA 2001:4838:0:1b::201
>
I can only speculate that the difference is the order of A and AAAA records received. And that is only speculation as I have no evidence that ordering is used by some applications.

--
Jeremy
(Lists)

[Richmond]

[Richmond]

Vincent Lefevre <vin...@vinc17.net> writes:

> On 2023-03-27 12:48:13 +0100, Richmond wrote:
>> I have configured an ipv6 tunnel. If I visit this site:
>>
>> http://ip6.me/
>>
>> The "normal" test shows my ipv4 address, and the:
>>
>> http://ip6only.me/
>>
>> shows the ipv6 address.
>>
>> However if I switch my DNS from opendns to the one provided by my ISP
>> and then run the "normal" test it shows the ipv6.
>>
>> The note says:
>>
>> (preference depends on your OS/client)
>>
>> So how is the preference determined? It seems to be determined by the
>> DNS, but why or how do I tell for example with host -v?
>
> It appears to be random (based on past tests).
>
> But one can set the preference via "/etc/gai.conf". In particular:
>
> # For sites which prefer IPv4 connections change the last line to
> #
> #precedence ::ffff:0:0/96 100
>
> I had to uncomment this line in the past when I had IPv6 issues.

I uncommented the table and changed the 2002 to 2001 and that seems to
have prioritized ipv6 but it's a bit of guesswork for me:

precedence ::1/128 50
precedence ::/0 40
precedence 2001::/16 30
precedence ::/96 20
precedence ::ffff:0:0/96 10

Now if I go to google.com for example, ipvfoo (extension for chromium)
tells me I am using ipv6.

[Michael Stone]

Modern browsers generally follow https://www.rfc-editor.org/rfc/rfc6555
and connect to both, using whichever connection completes first.

You may see different results on repeated connection attempts (but not
necessarily for immediate retries due to connection caching).

[dave...@tuxfamily.org]

That's weird… It should not be reslover-dependant unless your default
resolver either don't support IPv6 which seems not to be the case, or
(wrongfully) prioritize IPv4 unless the resolved name has IPv6 only?

In "normal" context, it's not determined by the DNS resolver, but it can
be limited by the DNS resolver, of course if the resolver answers for
IPv4 only (A record).

If the resolver can return both IPv4 and IPv6 records, and both your OS
and application supports it, which debian does and most half-decent web
browser do, then the OS or application config decides whether enable
IPv6 or not. If IPv6 is enabled, it should be prioritized and IPv4 is
used as fallback if IPv6 fails (e.g, when connecting to an IPv4 only
server, or using IPv4 only resolvers, if those still exist).

For debian and multiple other distros, it depends on systemd settings.
On debian, IPv6 can be disabled in /etc/sysctl.conf, as far as I know it
is enabled by default, unless need to add line(s) like

net.ipv6.conf.all.disable_ipv6 = 1

To /etc/sysctl.conf, then reload the file with sysctl command, or
reboot. Note that "=1" mean disable, NOT enable, since the option names
are in the negative form.

PS: For Non-debian-like systemd-based distros, espcially RHEL, Fedora
and so on have a different path for these options. I don't remember the
exact but there's no /etc/sysctl.conf
And For non-systemd distros, it is usually a bootloader option. for
GRUB, it's the "ipv6.disable=1" parameter to the
"GRUB_CMDLINE_LINUX_DEFAULT" in "/etc/default/grub" file

[Andy Smith]

On Mon, Mar 27, 2023 at 12:48:13PM +0100, Richmond wrote:

> So how is the preference determined? It seems to be determined by the
> DNS, but why or how do I tell for example with host -v?

I'm not adding anything new here, only pulling together what has
already been said in several different replies.

There are three main places where this can be affected.

Firstly the DNS servers you use can decide on their own what to
return to you. Normally it's expected that a resolver is going to
return everything that is in the DNS zone for the query you made,
but some DNS servers (both authoritative and resolver) do decide to
give you filtered results which may for example exclude AAAA
records. No AAAA records, no possibility of an IPv6 connection.

Secondly, your application that gets a list of answers (A and AAAA
records) might do something special. It is after all free to do
whatever it is programmed to do. The most common example of this is
"Happy Eyeballs", where (simply put) web browsers connect to BOTH A
and AAAA and use whichever works first.

Thirdly, if no special handling is in use then your operating
system chooses which address to use. There's an RFC for that, and
all of that is configured in /etc/gai.conf on Debian. The default
behaviour is to try IPv6 first.

So, DNS tools like "host" will not answer this question for you
because that is only showing you the first part. That's enough to
show you what your options are, but your app might use those options
in a way you weren't expecting. Some apps might not even support
IPv6. For most apps /etc/gai.conf controls this.

You mentioned in another email that you had to alter gai.conf to
make IPv6 be preferred. That is unusual as it is not the expected
default behaviour.

Cheers,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting

[Tim Woodall]

On Tue, 28 Mar 2023, Andy Smith wrote:

> Thirdly, if no special handling is in use then your operating
> system chooses which address to use. There's an RFC for that, and
> all of that is configured in /etc/gai.conf on Debian. The default
> behaviour is to try IPv6 first.
>

The default differs from RFC 3484

See the comment in gai.conf

If you are using ULA then ipv4 will be chosen in preference.

> I have configured an ipv6 tunnel.

The op doesn't say how this is configured but ULAs often appear around
tunnels.

uncomment the first five lines here to do what RFC3484 suggests.
#label ::1/128 0
#label ::/0 1
#label 2002::/16 2
#label ::/96 3
#label ::ffff:0:0/96 4
#label fec0::/10 5
#label fc00::/7 6
#label 2001:0::/32 7

Tim