IPv6 DNS issues in 23.1.8?

Started by Zoltrix, May 28, 2023, 05:42:47 AM

Previous topic - Next topic
Print
Go Down Pages 1 2 3
User actions
May 29, 2023, 07:37:08 AM #15
Thanks for all your help and insights.

With test-ipv6.com I always get a full 10/10 (was always the case and still is with 23.1.8).

Will try to update to 23.1.8 once more and then see whether MTU/MSS makes a difference (but would this be expected on an update like 23.1.7_3 -> 23.1.8?).

I doubt the Pi-hole is the issue here. I have it running for years, and as mentioned, it resolves A and AAAA, listening on both IPv4 and IPv6, just fine.
May 30, 2023, 10:50:25 AM #16
DNS resolution has also become very unstable for me after upgrading to 23.1.8. Using Unbound and Cloudflare as upstream DNS.

I've been running dual stack IPv4/IPv6 on my current ISP with no issues for more than half a year, and nothing seams to have changed on their side.

Looking at Smokeping, resolving test.test on unbound from my local network, I see a huge difference after upgrading to 23.1.8. Spikes going over 800ms and even some timeouts. Internal latency is <0.7 ms.

DNS resolution from my wired laptop are now fairly consistent > 40ms (even for cached results) and before the upgrade they were < 1ms for cached results.

I used to have 20/20 on ipv6-test.com, but now various tests time-out (inconsistent between refreshes) so I end up somewhere between 10/20 and 18/20.

I'll try to downgrade to 23.1.7_3 to see if it helps.
May 30, 2023, 11:15:59 AM #17
Quote from: squarky on May 30, 2023, 10:50:25 AM
DNS resolution has also become very unstable for me after upgrading to 23.1.8. Using Unbound and Cloudflare as upstream DNS.

I've been running dual stack IPv4/IPv6 on my current ISP with no issues for more than half a year, and nothing seams to have changed on their side.

Looking at Smokeping, resolving test.test on unbound from my local network, I see a huge difference after upgrading to 23.1.8. Spikes going over 800ms and even some timeouts. Internal latency is <0.7 ms.

DNS resolution from my wired laptop are now fairly consistent > 40ms (even for cached results) and before the upgrade they were < 1ms for cached results.

I used to have 20/20 on ipv6-test.com, but now various tests time-out (inconsistent between refreshes) so I end up somewhere between 10/20 and 18/20.

I'll try to downgrade to 23.1.7_3 to see if it helps.
i have the same problem with 23.1.7_3.
i advice to go back to 23.1.6 most of people has tested this
DEC4240 – OPNsense Owner
May 30, 2023, 11:58:05 AM #18
Quote from: Julien on May 30, 2023, 11:15:59 AM
i have the same problem with 23.1.7_3.
i advice to go back to 23.1.6 most of people has tested this

Thanks for the tip. I actually just disabled IPv6 (as it's not critical for me for the moment - and have to get some work done) and everything is now working as a charm. DNS resolution back down to ~1ms for locally cached results (and 4ms for results fetched from Cloudflares cache).

I applied the patch mentioned in https://forum.opnsense.org/index.php?topic=34241.msg165713#msg165713 and it fixed some issues, but no the DNS lookup issue.
May 30, 2023, 01:02:55 PM #19
I'm still confused what DNS changes have come with 23.1.8.
Yesterday I had slow DNS lookups too, but as far as I know Google public DNS servers had a few problems in Germany from 10 pm until 11 pm (local time zone: UTC+2).
May 30, 2023, 01:34:57 PM #20
Quote from: squarky on May 30, 2023, 11:58:05 AM
Quote from: Julien on May 30, 2023, 11:15:59 AM
i have the same problem with 23.1.7_3.
i advice to go back to 23.1.6 most of people has tested this

Thanks for the tip. I actually just disabled IPv6 (as it's not critical for me for the moment - and have to get some work done) and everything is now working as a charm. DNS resolution back down to ~1ms for locally cached results (and 4ms for results fetched from Cloudflares cache).

I applied the patch mentioned in https://forum.opnsense.org/index.php?topic=34241.msg165713#msg165713 and it fixed some issues, but no the DNS lookup issue.

when you say disabled IPV6 do you mean on Firewall: Settings: Advanced and uncheck the IPV6 ?
on the page you provided i don't see a patch, which one do you mean?
DEC4240 – OPNsense Owner
May 31, 2023, 09:22:07 PM #21
Today 23.1.9 has been released with further IPv6 improvements. Maybe it solves your problem?
June 01, 2023, 01:36:06 PM #22
Quote from: Cyberturtle on May 31, 2023, 09:22:07 PM
Today 23.1.9 has been released with further IPv6 improvements. Maybe it solves your problem?

While it now seems to work again for GNU/Linux and Windows clients, my wife's iPhone is still unusable with 23.1.9 on Wifi.

I now took a look and the iPhone is correctly connected to Wifi, but says "No internet connection".

I checked the settings and they all look perfectly fine.

I think I'll revert back to 23.1.7_3 once more in order to see whether the iPhone reports some different setting in there.

I noticed that the iPhone reports "router" as the IPv4 LAN address of the OPNsense *and* the link-local IPv6 address as well. My Android phone only reports the IPv4 LAN address of the OPNsense as gateway. The Windows client also has IPv4 LAN and link-local IPv6 of OPNsense as gateway - and works.

But this indicates rather a gateway issue than a DNS issue now ...
June 01, 2023, 04:00:25 PM #23 Last Edit: June 01, 2023, 04:49:11 PM by Cyberturtle
Which Access Points do you use? My iPhone is working perfectly fine with 23.1.9. It also reports link local IPv6 address as router and the IPv6 address of the DNS at the DNS section.
TP Link APs do not handle IPv6 correct and are blocking some IPv6 traffic for example (especially on Apple devices). Had this in the past and switched to UniFi because of this.
Android does only support SLAAC where Apple supports DHCPv6 and SLAAC (can be important if DNS servers are pushed via DHCPv6).
June 01, 2023, 04:31:48 PM #24
"Sorry" to say, but UniFi UAP-HD and UAP-Pro here.

Hm, perhaps I should try NOT pushing the IPv6 DNS via DHCPv6 then ...
June 01, 2023, 04:38:57 PM #25
Do you have any multicast enhancement or IGMP snooping enabled? With recent iOS changes this can lead into issues with UniFi as well. I have turned off any enhancements. Only plain WiFi for private and guest.
Just an idea.
June 01, 2023, 04:42:08 PM #26
"Enable multicast enhancement (IGMPv3)" in UniFi is NOT turned on.
June 01, 2023, 04:51:12 PM #27
I'm using only SLAAC in unmanaged mode and my iPhone is setting the correct DNS IPv6 server of the router itself. So it's worth a try to disable sending DNS info via DHCPv6.
June 01, 2023, 06:17:38 PM #28
Ok, what I actually did to (hopefully) fix it:

I had previously entered the ULA IPv6 of the OPNsense that I have configured via Virtual IP in the DHCPv6 DNS servers to hand out.

Now I removed that setting and left "DNS servers" in the DHCPv6 configuration empty, thinking that then *no* IPv6 DNS server will be handed out, but instead the global IPv6 from WAN interface tracking is handed out via DHCPv6 to the clients.

But this works!

So, my assumption for now: Dnsmasq did not listen on the Virtual IP. In Dnsmasq settings I have only two of my network interfaces selected, but there is no way to additionally selecting the Virtual IP.
June 01, 2023, 07:42:04 PM #29
My explanation cannot be the reason because with

root@opnsense:~ # ps auwx | grep dnsmasq

I do see the Virtual IP on the LAN interface listed on the command line as --listen-address=fd01:... perhaps iOS just does not like that ...
Print
Go Up Pages 1 2 3
User actions