RE: forced to execute DNS64
Sorry. I made mistake. /29 prefix is good work. My dns is use expired cache before update cache. (below 600 TTL is expired cache.) Thanks. [root@DNS_STG:/root] $ dig @::1 m.facebook.com ; <<>> DiG 9.9.9-P3_NLIA_NS_160928 <<>> @::1 m.facebook.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27452 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;m.facebook.com.IN ;; ANSWER SECTION: m.facebook.com. 600 IN 2a03:2880:f115:83:face:b00c:0:25de ;; Query time: 0 msec ;; SERVER: ::1#53(::1) ;; WHEN: Wed Oct 12 08:21:39 KST 2016 ;; MSG SIZE rcvd: 60 > -Original Message- > From: Mark Andrews [mailto:ma...@isc.org] > Sent: Wednesday, October 12, 2016 8:47 AM > To: 이석문/ICT Solution팀 > Cc: bind-users@lists.isc.org > Subject: Re: forced to execute DNS64 > > > I don't understand why you are saying "But /29 prefix is not work." > FaceBook is 2a03:2880::/29 and the acl code should handle this. > > Mark > > [rock:~/git/bind9/xx] marka% whois -r 2a03:2880:: > % This is the RIPE Database query service. > % The objects are in RPSL format. > % > % The RIPE Database is subject to Terms and Conditions. > % See http://www.ripe.net/db/support/db-terms-conditions.pdf > > % Note: this output has been filtered. > % To receive output for a database update, use the "-B" flag. > > % Information related to '2a03:2880::/29' > > % Abuse contact for '2a03:2880::/29' is 'dom...@fb.com' > > inet6num: 2a03:2880::/29 > netname:IE-FACEBOOK-201100822 > country:IE > org:ORG-FIL7-RIPE > admin-c:RD4299-RIPE > tech-c: RD4299-RIPE > status: ALLOCATED-BY-RIR > mnt-by: RIPE-NCC-HM-MNT > mnt-lower: fb-neteng > mnt-routes: fb-neteng > created:2015-09-24T12:59:37Z > last-modified: 2016-04-14T10:48:51Z > source: RIPE # Filtered > > In message <0171a9ab70c54918ab355dc66dda3...@skt-tnetpmx2.skt.ad>, LEE > SUKMOON > writes: > > Thank you. > > > > Your advice is very well done. Thank you again. > > But /29 prefix is not work. /32 prefix is good work. > > > > > > dns64 64:ff9b::/96 { > > clients { acl_ipv6; ::1; }; > > exclude { > > 2a03:2880::/32; // Facebook > > }; > > }; > > > > root@DNS_STG:/root $ dig @::1 m.facebook.com +short > > star-mini.c10r.facebook.com. > > 64:ff9b::1f0d:4423 > > root@DNS_STG:/root $ dig @::1 m.facebook.com +short > > star-mini.c10r.facebook.com. > > 64:ff9b::1f0d:4423 > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forced to execute DNS64
I don't understand why you are saying "But /29 prefix is not work." FaceBook is 2a03:2880::/29 and the acl code should handle this. Mark [rock:~/git/bind9/xx] marka% whois -r 2a03:2880:: % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '2a03:2880::/29' % Abuse contact for '2a03:2880::/29' is 'dom...@fb.com' inet6num: 2a03:2880::/29 netname:IE-FACEBOOK-201100822 country:IE org:ORG-FIL7-RIPE admin-c:RD4299-RIPE tech-c: RD4299-RIPE status: ALLOCATED-BY-RIR mnt-by: RIPE-NCC-HM-MNT mnt-lower: fb-neteng mnt-routes: fb-neteng created:2015-09-24T12:59:37Z last-modified: 2016-04-14T10:48:51Z source: RIPE # Filtered In message <0171a9ab70c54918ab355dc66dda3...@skt-tnetpmx2.skt.ad>, LEE SUKMOON writes: > Thank you. > > Your advice is very well done. Thank you again. > But /29 prefix is not work. /32 prefix is good work. > > > dns64 64:ff9b::/96 { > clients { acl_ipv6; ::1; }; > exclude { > 2a03:2880::/32; // Facebook > }; > }; > > root@DNS_STG:/root $ dig @::1 m.facebook.com +short > star-mini.c10r.facebook.com. > 64:ff9b::1f0d:4423 > root@DNS_STG:/root $ dig @::1 m.facebook.com +short > star-mini.c10r.facebook.com. > 64:ff9b::1f0d:4423 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: forced to execute DNS64
Thank you. Your advice is very well done. Thank you again. But /29 prefix is not work. /32 prefix is good work. dns64 64:ff9b::/96 { clients { acl_ipv6; ::1; }; exclude { 2a03:2880::/32; // Facebook }; }; [root@DNS_STG:/root] $ dig @::1 m.facebook.com +short star-mini.c10r.facebook.com. 64:ff9b::1f0d:4423 [root@DNS_STG:/root] $ dig @::1 m.facebook.com +short star-mini.c10r.facebook.com. 64:ff9b::1f0d:4423 > -Original Message- > From: Mark Andrews [mailto:ma...@isc.org] > Sent: Wednesday, October 12, 2016 7:04 AM > To: 이석문/ICT Solution팀 > Cc: bind-users@lists.isc.org > Subject: Re: forced to execute DNS64 > > > Exclude Facebook's IPv6 range. > > dns64 { >exclude { > :::0:0/96; // mapped addresses > 2a03:2880::/29; // Facebook >}; > }; > > In message <389ab5475d0a441a9cc175f0326e5...@skt-tnetpmx2.skt.ad>, LEE > SUKMOON > writes: > > > > Thanks for reply. > > > > But a client's network is ipv6 network. > > Client obtains a ipv6 address. Then client connect to global ipv6 > > address over oversea. > > But client obtains a ipv4 address(DNS64 translated ipv6 address). > > Then client connect to NAT64, and connect to local ipv4 service(ex: > CDN). > > > > I tried to modify a test code. This code works similar to what I think. > > Without modify program, similarly I wondered whether the operation is > > set to do so. > > > > Thanks. > > > > > > > > root@smlee:/root/isc $ diff -Nur bind-9.9.9-P3/ bind-9.9.9-P3-dns64/ > > diff -Nur bind-9.9.9-P3/bin/named/query.c > > bind-9.9.9-P3-dns64/bin/named/query.c > > --- bind-9.9.9-P3/bin/named/query.c 2016-09-09 11:47:21.0 > > +0900 > > +++ bind-9.9.9-P3-dns64/bin/named/query.c 2016-10-11 > > 16:41:14.741269111 +0900 > > @@ -6022,6 +6022,17 @@ > > client->query.dboptions, client->now, > > &node, fname, &cm, &ci, rdataset, > > sigrdataset); > > > > + if (type==dns_rdatatype_ && result==ISC_R_SUCCESS) { > > + char fbufDNS_NAME_FORMATSIZE = ""; > > + > > + if (fname != NULL) { > > + dns_name_format(fname, fbuf, sizeof(fbuf)); > > + if (strcmp("star-mini.c10r.facebook.com", > > fbuf)==0) { > > + result=DNS_R_NCACHENXRRSET; > > + } > > + } > > + } > > + > > resume: > > CTRACE(ISC_LOG_DEBUG(3), "query_find: resume"); > > > > root@smlee:/root/isc $ > > > > > > root@smlee:/root/isc $ dig @127.0.0.1 star-mini.c10r.facebook.com > > +short > > 2a03:2880:f10b:83:face:b00c:0:25de > > root@smlee:/root/isc $ dig @127.0.0.1 star-mini.c10r.facebook.com > > +short > > 64:ff9b::1f0d:4a24 > > root@smlee:/root/isc $ dig @127.0.0.1 star-mini.c10r.facebook.com > > +short > > 64:ff9b::1f0d:4a24 > > root@smlee:/root/isc $ dig @127.0.0.1 star-mini.c10r.facebook.com > > +short > > 64:ff9b::1f0d:4a24 > > > > > > > -Original Message- > > > From: Mark Andrews mailto:ma...@isc.org > > > Sent: Tuesday, October 11, 2016 2:14 PM > > > To: /ICT Solution > > > Cc: bind-users@lists.isc.org > > > Subject: Re: forced to execute DNS64 > > > > > > > > > DNS64 doesn't work like that. > > > > > > If you are having problems connecting over IPv6 contact your service > > > provider. Facebook treats IPv6 as a production service and will > > > deal with connectivity issues. > > > > > > If you want to force browsers to use IPv4 then send back RST to the > > > connection attempts to reach the facebook servers. They should fail > > over > > > to using IPv4. This should only require configuring the firewall on > > your > > > router appropriately. > > > > > > Mark > > > > > > In message , > > > LEE SUKMOON > > > writes: > > > > Hello, All. > > > > > > > > Many clients queries to IPv6(IN/) domain. > > > > But IPv6 network is so far, then slow then IPv4 network. > > > > > > > > I want to forced dns64 for special domain. > > > > > > > > Example, 'm.facebook.com' IN/ address is > > &g
Re: forced to execute DNS64
Exclude Facebook's IPv6 range. dns64 { exclude { :::0:0/96; // mapped addresses 2a03:2880::/29; // Facebook }; }; In message <389ab5475d0a441a9cc175f0326e5...@skt-tnetpmx2.skt.ad>, LEE SUKMOON writes: > > Thanks for reply. > > But a client's network is ipv6 network. > Client obtains a ipv6 address. Then client connect to global ipv6 address > over oversea. > But client obtains a ipv4 address(DNS64 translated ipv6 address). > Then client connect to NAT64, and connect to local ipv4 service(ex: CDN). > > I tried to modify a test code. This code works similar to what I think. > Without modify program, similarly I wondered whether the operation is set > to do so. > > Thanks. > > > > root@smlee:/root/isc $ diff -Nur bind-9.9.9-P3/ bind-9.9.9-P3-dns64/ > diff -Nur bind-9.9.9-P3/bin/named/query.c > bind-9.9.9-P3-dns64/bin/named/query.c > --- bind-9.9.9-P3/bin/named/query.c 2016-09-09 11:47:21.0 > +0900 > +++ bind-9.9.9-P3-dns64/bin/named/query.c 2016-10-11 > 16:41:14.741269111 +0900 > @@ -6022,6 +6022,17 @@ > client->query.dboptions, client->now, > &node, fname, &cm, &ci, rdataset, > sigrdataset); > > + if (type==dns_rdatatype_ && result==ISC_R_SUCCESS) { > + char fbufDNS_NAME_FORMATSIZE = ""; > + > + if (fname != NULL) { > + dns_name_format(fname, fbuf, sizeof(fbuf)); > + if (strcmp("star-mini.c10r.facebook.com", > fbuf)==0) { > + result=DNS_R_NCACHENXRRSET; > + } > + } > + } > + > resume: > CTRACE(ISC_LOG_DEBUG(3), "query_find: resume"); > > root@smlee:/root/isc $ > > > root@smlee:/root/isc $ dig @127.0.0.1 star-mini.c10r.facebook.com > +short > 2a03:2880:f10b:83:face:b00c:0:25de > root@smlee:/root/isc $ dig @127.0.0.1 star-mini.c10r.facebook.com > +short > 64:ff9b::1f0d:4a24 > root@smlee:/root/isc $ dig @127.0.0.1 star-mini.c10r.facebook.com > +short > 64:ff9b::1f0d:4a24 > root@smlee:/root/isc $ dig @127.0.0.1 star-mini.c10r.facebook.com > +short > 64:ff9b::1f0d:4a24 > > > > -Original Message- > > From: Mark Andrews mailto:ma...@isc.org > > Sent: Tuesday, October 11, 2016 2:14 PM > > To: /ICT Solution > > Cc: bind-users@lists.isc.org > > Subject: Re: forced to execute DNS64 > > > > > > DNS64 doesn't work like that. > > > > If you are having problems connecting over IPv6 contact your service > > provider. Facebook treats IPv6 as a production service and will deal > > with connectivity issues. > > > > If you want to force browsers to use IPv4 then send back RST to the > > connection attempts to reach the facebook servers. They should fail > over > > to using IPv4. This should only require configuring the firewall on > your > > router appropriately. > > > > Mark > > > > In message , LEE > > SUKMOON > > writes: > > > Hello, All. > > > > > > Many clients queries to IPv6(IN/) domain. > > > But IPv6 network is so far, then slow then IPv4 network. > > > > > > I want to forced dns64 for special domain. > > > > > > Example, 'm.facebook.com' IN/ address is > > > '2a03:2880:f115:83:face:b00c:0:2 5de'. > > > But I don't want to use IPv6 address. So I want to use dns64 translate > > > addres s. > > > > > > m.facebook.com. 600 IN CNAME > star-mini.c10r.facebook > > > .com. > > > star-mini.c10r.facebook.com. 1351 IN > > 2a03:2880:f115:83:face: > > > b00c:0:25de > > > > > > Is it possible? Or should modify source? > > > Thanks. > > > > > > ___ > > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > > > unsubscribe from this list > > > > > > bind-users mailing list > > > bind-users@lists.isc.org > > > https://lists.isc.org/mailman/listinfo/bind-users > > -- > > Mark Andrews, ISC > > 1 Seymour St., Dundas Valley, NSW 2117, Australia > > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: forced to execute DNS64
Thanks for reply. But a client's network is ipv6 network. Client obtains a ipv6 address. Then client connect to global ipv6 address over oversea. But client obtains a ipv4 address(DNS64 translated ipv6 address). Then client connect to NAT64, and connect to local ipv4 service(ex: CDN). I tried to modify a test code. This code works similar to what I think. Without modify program, similarly I wondered whether the operation is set to do so. Thanks. [root@smlee:/root/isc] $ diff -Nur bind-9.9.9-P3/ bind-9.9.9-P3-dns64/ diff -Nur bind-9.9.9-P3/bin/named/query.c bind-9.9.9-P3-dns64/bin/named/query.c --- bind-9.9.9-P3/bin/named/query.c 2016-09-09 11:47:21.0 +0900 +++ bind-9.9.9-P3-dns64/bin/named/query.c 2016-10-11 16:41:14.741269111 +0900 @@ -6022,6 +6022,17 @@ client->query.dboptions, client->now, &node, fname, &cm, &ci, rdataset, sigrdataset); + if (type==dns_rdatatype_ && result==ISC_R_SUCCESS) { + char fbuf[DNS_NAME_FORMATSIZE] = ""; + + if (fname != NULL) { + dns_name_format(fname, fbuf, sizeof(fbuf)); + if (strcmp("star-mini.c10r.facebook.com", fbuf)==0) { + result=DNS_R_NCACHENXRRSET; + } + } + } + resume: CTRACE(ISC_LOG_DEBUG(3), "query_find: resume"); [root@smlee:/root/isc] $ [root@smlee:/root/isc] $ dig @127.0.0.1 star-mini.c10r.facebook.com +short 2a03:2880:f10b:83:face:b00c:0:25de [root@smlee:/root/isc] $ dig @127.0.0.1 star-mini.c10r.facebook.com +short 64:ff9b::1f0d:4a24 [root@smlee:/root/isc] $ dig @127.0.0.1 star-mini.c10r.facebook.com +short 64:ff9b::1f0d:4a24 [root@smlee:/root/isc] $ dig @127.0.0.1 star-mini.c10r.facebook.com +short 64:ff9b::1f0d:4a24 > -Original Message- > From: Mark Andrews [mailto:ma...@isc.org] > Sent: Tuesday, October 11, 2016 2:14 PM > To: 이석문/ICT Solution팀 > Cc: bind-users@lists.isc.org > Subject: Re: forced to execute DNS64 > > > DNS64 doesn't work like that. > > If you are having problems connecting over IPv6 contact your service > provider. Facebook treats IPv6 as a production service and will deal > with connectivity issues. > > If you want to force browsers to use IPv4 then send back RST to the > connection attempts to reach the facebook servers. They should fail over > to using IPv4. This should only require configuring the firewall on your > router appropriately. > > Mark > > In message , LEE > SUKMOON > writes: > > Hello, All. > > > > Many clients queries to IPv6(IN/) domain. > > But IPv6 network is so far, then slow then IPv4 network. > > > > I want to forced dns64 for special domain. > > > > Example, 'm.facebook.com' IN/ address is > > '2a03:2880:f115:83:face:b00c:0:2 5de'. > > But I don't want to use IPv6 address. So I want to use dns64 translate > > addres s. > > > > m.facebook.com. 600 IN CNAME star-mini.c10r.facebook > > .com. > > star-mini.c10r.facebook.com. 1351 IN > 2a03:2880:f115:83:face: > > b00c:0:25de > > > > Is it possible? Or should modify source? > > Thanks. > > > > ___ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > > unsubscribe from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forced to execute DNS64
DNS64 doesn't work like that. If you are having problems connecting over IPv6 contact your service provider. Facebook treats IPv6 as a production service and will deal with connectivity issues. If you want to force browsers to use IPv4 then send back RST to the connection attempts to reach the facebook servers. They should fail over to using IPv4. This should only require configuring the firewall on your router appropriately. Mark In message , LEE SUKMOON writes: > Hello, All. > > Many clients queries to IPv6(IN/) domain. > But IPv6 network is so far, then slow then IPv4 network. > > I want to forced dns64 for special domain. > > Example, 'm.facebook.com' IN/ address is '2a03:2880:f115:83:face:b00c:0:2 > 5de'. > But I don't want to use IPv6 address. So I want to use dns64 translate addres > s. > > m.facebook.com. 600 IN CNAME star-mini.c10r.facebook > .com. > star-mini.c10r.facebook.com. 1351 IN2a03:2880:f115:83:face: > b00c:0:25de > > Is it possible? Or should modify source? > Thanks. > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users