My IPv6 DNS AAAA-Resolver Bug Is A Feature – With A Fix

I’m quite advanced in my IPv6 adventures but there has been one thing that has been holding me back so far: The DNS resolver in my DSL router at home refuses to properly return the IPv6 address of my local server. Instead it doesn’t respond at all to this request. As a consequence my web browser waits for 10 seconds before it gives up and then uses the IPv4 address of the server instead that was returned just fine. This had me baffled for a long time because all other DNS resolvers returned the IPv6 address just fine. Now it turned out that this is not a bug at all but a feature.

I spent hours trying to find out what the issue was and finally decided to file a bug report with AVM, the manufacturer of my Fritzbox DSL router at home. For a long time they were also not sure what was going on and they asked me several times to dump error logs and create packet traces. But finally they figured it out: It’s not a bug, it’s a feature called DNS Rebind Protection. Wikipedia has a great entry on DNS Rebind attacks so have a look for the details there.

Why Is This Only an IPv6 Problem?

So there we go, the DNS resolver in my router does not return the IPv6 address of my local server to protect against DNS rebind attacks. But why is this only done for the IPv6 address and not for the IPv4 address as well? The reason is that the IPv6 address is public and valid both inside my home network and outside on the Internet. The IPv4 address returned by the DNS server on the other hand is only valid on the Internet. In my local network the server is addressed via its local and non-routable IPv4 address. When I access my server from home, the DSL router translates the global IPv4 address of the server into the locally assigned IPv4 address because I’ve configured it to do so in the Network Address Translation (NAT) settings. In other words, the DNS server on the Internet does not return the local IPv4 address of my local server but its global IP address so no DNS rebinding protection is necessary at this point.

The Fix For IPv6

Fortunately, AVM did not only implement a DNS Rebinding Attack protection in the router but also foresaw the need to define exceptions based on individual domain names. And indeed, after putting my domain name into an exception list things worked like a charm. Wow, I’m stunned, that is a cool feature!

In principle an exception for DNS Rebinding Protection achieves the same for IPv6 as as defining a NAT IPv4 port mapping and then translating internal requests to that port of the public IPv4 address to the local IPv4 address of the server.

Perfect, with this final piece of the puzzle now in place I can finally give my production server at home an IPv6 address and use it from both inside and outside my home network!