IPv6 is 18 years old and even if the shortage of IPv4 addresses is getting real, its deployment is still far from complete to say the least.
Still, there have recently been a lot of interest into it especially since Comcast began to assign IPv6 addresses to their customers.
An unexpected effect of people getting IPv6 connectivity has been an massive increase of open questions about accessing DNS resolvers over IPv6.
It turns out to be a Windows peculiarity.
Accessing a resolver over IPv4 or IPv6 doesn’t make a difference
DNS is often compared to a phonebook. A terrible analogy since most young people never ever saw a phonebook.
That said, a phonebook doesn’t require having kids in order to look for nurseries, and the same applies to DNS.
The protocol used to access a DNS resolver doesn’t make any difference on the questions the resolver can respond to.
A DNS resolver accessed using its IPv4 address can return IPv6 records for any zone. A DNS resolver accessed over IPv6 can return IPv4 records. It responds to the questions asked, and the protocol used by the client to connect to it doesn’t play any role at all.
So, why would you access OpenDNS, Google DNS, or any other DNS resolver using IPv6 instead of IPv4?
Maybe for testing. Or maybe just because you have IPv6 connectivity, so you want to use it.
Realistically, and although this is likely to change in the forthcoming years, it’s usually pointless, slower and less reliable than IPv4 which remains what developers and operation teams put at a way higher priority today.
OpenDNS for example has limited IPv6 support. Filtering only works over IPv4 unless additional client-side software is installed.
Still, there are many people, with a dual TCP/IP stack, and working filtering on their IPv4 address, begging for the company to support filters when using the IPv6 resolver addresses.
Why don’t they just use the IPv4 resolver addresses, that, once again,
have no problems returning AAAA (IPv6 addresses) records?
This has been going on for years, and support had no answers besides saying that filtering over IPv6 hasn’t been implemented yet.
A single instance of the client DNSCrypt proxy either listens to IPv4 or to IPv6 addresses. Why would you ever need both on the local network or on the local host? Still, many people said they absolutely need both. Because without an IPv6 resolver address, they apparently can’t resolve names to IPv6 addresses.
Windows and DNS settings for IPv6
Windows has per-adapter network settings, and a different set of parameters for each protocol.
The Internet Protocol Version 4 (TCP/IPv4) preference pane can be used to enter one or more DNS resolvers to use in order to resolve IPv4 addresses.
The Internet Protocol Version 6 (TCP/IPv6) preference pane can be used to enter one or more DNS resolvers to use in order to resolve IPv6 addresses.
If you are used to other operating systems, having different sets of DNS resolvers for IPv4 and IPv6 can be a surprising peculiarity.
So what? Enter the same DNS resolvers IP addresses in both and everything should be fine, right?
Not exactly, and this is why so many people think they need to connect to DNS resolvers using their IPv6 addresses in addition to connecting to the very same resolvers using their IPv4 addresses.
In the TCP/IPv6 preference pane, the list of DNS server IP addresses is expected in IPv6 notation.
Entering 4.2.2.2 here is refused with a completely bogus error
message “The DNS server 4.2.2.2 is not a valid IP address”. Dear
Microsoft, last time I checked, 4.2.2.2 was a valid IP address.
Anyways. When IPv6 was specified, a way to encode IPv4 addresses into IPv6 addresses was also specified. I remember adding code to handle this in Pure-FTPd 15 years ago.
OpenBSD eventually removed support for IPv4-addresses-mapped-to-IPv6 addresses, but most operating systems have been supporting this ever since IPv6 support was introduced, and are still supporting it.
And Windows is no exception.
::FFFF:ipv4_address
is the standard representation of an IPv4 address as an IPv6 address.
Windows does not require IPv6 DNS resolver addresses in the TCP/IPv6 preference pane. It never did. It just insists on using the IPv6 address notation.
So, if you want to use “4.2.2.2” as a resolver, both for IPv4 and IPv6 connections, instead of “4.2.2.2” in the IPv6 preference pane, Windows just expects you to enter it as:
::FFFF:4.2.2.2
Done.
OpenDNS filtering works even if you have IPv6 connectivity. It always did.
You don’t need two DNSCrypt instances, listening to ::1 and 127.0.0.1,
one is enough.
You can use any public or private DNS resolvers and still browse your favorite web sites via your brand new IPv6 connection, even if these resolvers don’t have an IPv6 address.
You don’t need obscure tricks in order to prevent “DNS leaks” due to IPv6 lookups when using a VPN: enter the VPN IPv4 resolvers IPs in the IPv6 preference pane and you’ll be fine.
The requirement for IPv6 DNS resolver addresses in order to use IPv6 on Windows is a 15 years-old myth, born because of a bogus error message.