On Thu, Nov 16, 2017 at 07:55:18PM +0000, Simon Slaytor wrote: > Hi Folks, > > Long time Debian user and up until now I've not had to reach out for help as > I've always found the answer after a short Google. > > I've recently made the move from 8.x to 9.2 for my production boxes and I'm > having the mother of all DNS issues. My network is simple: > > My network > 2 x Juniper SSG-140 (Active/Passive) HA 1xTrust 1xDMZ 1xUntrust interfaces > IPv4 only IPv6 is not enabled. > 2 x Netgear GSM724 Switches > > The Junipers do DNS proxying for the Trust and DMZ networks. Junipers are in > NAT/Route mode. > > Sitting onthe Trust network (172.16.11.0/24) are Debian 8.8 / 9.2 and > Windoze 10 devices. > Sitting in the DMZ network (192.168.102.0/24) are Debian 9.2 and Centos 7 > devices > > My problem is this, after a vanilla 9.2 AMD 64 install DNS resolution 99 > times out of 100 fails unless I force IPv4 for example: > > xxxx@backup:~$ su > Password: > root@backup:/home/xxxx# cat /etc/resolv.conf > domain abc.com > search abc.com. > nameserver 172.16.11.1 > root@backup:/home/xxxx# ip ad > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group > default qlen 1 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > valid_lft forever preferred_lft forever > inet6 ::1/128 scope host > valid_lft forever preferred_lft forever > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group > default qlen 1000 > link/ether ca:57:82:c2:51:ad brd ff:ff:ff:ff:ff:ff > inet 172.16.11.22/24 brd 172.16.11.255 scope global eth0 > valid_lft forever preferred_lft forever > inet6 fe80::c857:82ff:fec2:51ad/64 scope link > valid_lft forever preferred_lft forever > root@backup:/home/xxxx# ping www.apple.com > ping: www.apple.com: Temporary failure in name resolution > root@backup:/home/xxxx# ping -4 www.apple.com > PING e6858.dsce9.akamaiedge.net (2.18.170.28) 56(84) bytes of data. > 64 bytes from 2.18.170.28: icmp_seq=1 ttl=50 time=19.3 ms > 64 bytes from 2.18.170.28: icmp_seq=2 ttl=50 time=19.7 ms > ^C > --- e6858.dsce9.akamaiedge.net ping statistics --- > 2 packets transmitted, 2 received, 0% packet loss, time 1001ms > rtt min/avg/max/mdev = 19.311/19.508/19.705/0.197 ms > root@backup:/home/xxxx# > > The above box is in the Trust network however the same result occurs if I > use a host in the DMZ. > > If I however use a Centos 7 box everything works as expected e.g. > > [root@loadbalancer ~]# cat /etc/resolv.conf > # Generated by NetworkManager > nameserver 192.168.102.1 > [root@loadbalancer ~]# ip ad > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > valid_lft forever preferred_lft forever > inet6 ::1/128 scope host > valid_lft forever preferred_lft forever > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen > 1000 > link/ether 22:e7:41:55:a6:9c brd ff:ff:ff:ff:ff:ff > inet 192.168.102.10/24 brd 192.168.102.255 scope global eth0 > valid_lft forever preferred_lft forever > inet6 fe80::20e7:41ff:fe55:a69c/64 scope link > valid_lft forever preferred_lft forever > [root@loadbalancer ~]# ping www.apple.com > PING e6858.dsce9.akamaiedge.net (2.20.214.243) 56(84) bytes of data. > 64 bytes from 2.20.214.243 (2.20.214.243): icmp_seq=1 ttl=55 time=28.4 ms > 64 bytes from 2.20.214.243 (2.20.214.243): icmp_seq=2 ttl=55 time=28.4 ms > ^C > --- e6858.dsce9.akamaiedge.net ping statistics --- > 3 packets transmitted, 2 received, 33% packet loss, time 2002ms > rtt min/avg/max/mdev = 28.453/28.456/28.459/0.003 ms > [root@loadbalancer ~] > > Also Windoze 10 boxes running on the Trust network and Debian 8 boxes on > both have no issues its purely the 9.2 boxes. > > Any help would be much appreciated.
You can effectively disable IPv6 on a Debian box by editing /etc/gai.conf and uncommenting the line: precedence ::ffff:0:0/96 100 Does that make a difference for you? -dsr-