Controls for IPv4/IPv6 nameserver usage for internal DNS #6223
Conversation
|
Hmmm. Some of the DNS related tests seem either flakey or like they are interleaving in a way that is doing bad things to the shared resolver. |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
2 Skipped Deployments
|
|
After changing the default to use IPv4 Only nameservers the errors in the tests run as part of the github actions have gone away. However, I do not fully understand the errors so I can't say for sure that this fixed the issue and that we didn't just get lucky this time. It seems like when the resolver chooses IPv6 in the tests in the gh action runner it times out instead of returning a If this is the case though, how did we not run into this issue before? |
jmwample
force-pushed
the
jmwample/dns-ns-v4v6
branch
from
d3ba010 to
5cda17f
Compare
In the VPN client there are settings specifically intended to control how the library interacts with the IPv6 network stack. This is because some platforms do weird things and actually throw errors if IPv6 is used, so preventing the client from attempting IPv6 can be important in some cases.
This is a challenge with the custom DNS resolver as the hickory-resolver crate that we use provides no controls to indicate that an outgoing lookup should use only IPv4 nameservers or only IPv6 (or both).
Also there is an issue of randomness even when IPv6 doesn’t cause explicit problems where the resolver selecting nameservers to do a resolution could select IPv6 nameservers (because they are configured) even when the IPv6 network will be unreachable - i.e. the networking stack supports IPv6 but the device isn’t connection with an IPv6 address.
Solution
Add controls to allow a configuration change that prevents hickory from using IPv6 nameservers.
When IPv6 is disabled, Hickory must not use IPv6 resolvers.
See NET-713
This change is