Linux: Block IPv6 for certain applications / hostnames

Question

Problem and aim

We don't get IPv6 from our ISP thus I have an IPv6 tunnel which works fine but is, of course, not very fast. And not really reliable. I like to have IPv6 available "just in case" but I want certain hosts (domains) to be connected with IPv4 only.

Default protocol

It seems to me that all applications try IPv6 first; this is probably a glibc setting. I would be fine if this default would be reversed (for all applications).

Netfilter

It would be possible to block IPv6 addresses / networks with Netfilter but there are two problems:

Would this cause a delay as the app waits for a IPv6 timeout before it tries IPv4?
Some domains seem to be mixed that it looks like chaos. Separating google.com and youtube.com seems like something you don't want to do if you can avoid it.

I just note that the man page for ip route says for the routing type unreachable:

The local senders get an EHOSTUNREACH error.

Does the same happen with Netfilter DROPs or REJECTs? Such an error should not cause a relevant delay.

DNS filtering

Another solution (rather easy one if that is possible) would be to filter AAAA records for certain domains. If that is not (easily) possible: Is it possible to connect the DNS server and Netfilter so that I know "IP address X belongs to domain Y" so that I can add it to Netfilter? Anything more elegant than logging everything and grepping the log?

The way to go?

Which (other) possibilities are there and what is the easiest?

You really won't notice with anything that implements [Happy Eyeballs](https://en.wikipedia.org/wiki/Happy_Eyeballs) ([RFC 6555](http://tools.ietf.org/html/rfc6555)), such as modern web browsers. — Michael Hampton, May 27 '13 at 21:15
DNS isn't really designed to work that way. In any event, you might try a more reliable tunnel service. — Michael Hampton, Jun 06 '13 at 03:28

score 17 · Answer 1 · answered May 27 '13 at 21:09

You can control address selection with /etc/gai.conf. The configuration file is well documented, and already contains the defaults, so you can just begin tweaking.

The interesting defaults here are:

label  ::1/128       0
label  ::/0          1
label  2002::/16     2
label ::/96          3
label ::ffff:0:0/96  4
precedence  ::1/128       50
precedence  ::/0          40
precedence  2002::/16     30
precedence ::/96          20
precedence ::ffff:0:0/96  10

The last line gives the lowest preference to all IPv4 addresses.

If you want to give a higher preference to all IPv4, you could change it to:

precedence ::ffff:0:0/96  100

If you only wanted to give higher preference to specific IPv4 addresses or blocks, you can specify them as well. Remember that you have to use an IPv4-mapped IPv6 in hex.

So, to give preference to 203.0.113.0/24 over all IPv6, you would add:

label ::ffff:cb00:7100/120 5
precedence ::ffff:cb00:7100/120 100

Restart running applications to have them pick up changes you make.

On Debian derived systems, /etc/gai.conf is already present. On Red Hat derived systems, it is absent, but a sample file is located at /usr/share/doc/glibc-common-*/gai.conf; just copy it to /etc.

Never heard of that before; great hint even though it's not a DNS solution. — Hauke Laging, May 27 '13 at 21:41

score 5 · Answer 2 · answered Jun 08 '13 at 23:43

5

OK, here's a completely different answer.

Place the offending hosts with crappy IPv6 connectivity in /etc/hosts with their corresponding IPv4 address.

For example:

199.7.53.74 whois.verisign-grs.com

Remember to remove them when their (in this case) or your IPv6 connectivity improves.

answered Jun 08 '13 at 23:43

Michael Hampton

237,123
42
477
940

1

That would be easy for a single host with a single IP. As I mentioned this is about **.youtube.com. Thus a lot of host names are affected. In theory this would be easy with DNS: "Block AAAA records for everything in .youtube.com". Your approach would be to put all these addresses (probably they change neither their domain structure nor their IPs often and it would be OK to have a script check that every day) in `/etc/hosts`. If noone comes up with "DNS server software XY can filter this way!!" I'll probably end up with that. – Hauke Laging Jun 08 '13 at 23:52
I'm familiar with _almost every_ known DNS server package, and none do what you seem to want, easily or at all. Now if you want to write your own custom code...but the real solution of course is to improve your IPv6 connectivity. Try a different tunnel broker? – Michael Hampton Jun 08 '13 at 23:53

Linux: Block IPv6 for certain applications / hostnames

2 Answers2

Linked