Hi Dominik, On 9/29/21 19:30, Dominik Derigs wrote: > Hey Petr, > > On Wed, 2021-09-29 at 17:49 +0200, Petr Menšík wrote: >> May I ask for your reason, why are you trying to explicitly block IPv6 in >> year 2021? > I asked the very same question when we received the reports about this bug > with the different allocated memory sized that was fixed two weeks ago. The > answer I received from independent parties was always the same. In short: > > 1. No native IPv6 connectivity > 2. Using some sort of VPN tunnel to get IPv6 > 3. Several services favor IPv6
Sure, this exactly is also my situation. We have some internal IPv6 connectivity at offices, but without global internet access. I do not have native IPv6 even at home. But if I miss IPv6 route forward, I do not care if applications try get IPv6 addresses. If default route is missing, any attempt of connection fails immediately. I don't know about application which cannot handle such situation. Okay, some applications may use -4 parameter to skip logging failed attempts, but they should work. If I have some IPv6 connectivity but want to skip it for some services, I would understand that. Some subset only makes sense, like only for netflix domains or spotify domains. Slightly better than blocking their IPv6 ranges on firewall. > > These services (I saw Netflix, Spotify and other bigger names) mentioned > that refuse to work because they think you want to cheat on their geo- > fencing with your VPN. When they use Netflix over their native IPv4, > everything works. Ok, tunnels make geolocation hard. If they do not want to serve the content to uncertain countries, sure, there may be no better way than to disable AAAA queries for those services. Especially if their servers accept a connection from those address and respond REFUSED kind of error. Is there scenario, where IPv6 communication over IP addresses should work but any names should not resolve? I could not find any. > > I was a bit surpised about this, but it does make sense. You are correct. Until we have fully supported native connectivity, some filtering might help fixing broken services. Thanks for sharing your experience. > > Best > Dominik Cheers, Petr -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss