Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 27 subscribers
  • Views 6291 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Disable IPv6 DNS

Nitin Mirchandani

Hello

Since last few revisions, (I think December onwards), my network looses DNS connectivity every few minutes randomly. There is not loss of network, I just loose DNS lookup, making all browser crapping out at No Internet. This resolves itself in 1-2 minutes.

 

I think I have traced it down to poor DNS implementation - Whatever I do, XG is replying with IPv6 DNS answers. Earlier I remember it was answering only IPv4 entries and all was ok.

I tried all configurations in DNS tab - 

DNS query configuration
Choose server based on incoming requests record type  
Choose IPv6 DNS server over IPv4  
Choose IPv4 DNS server over IPv6  
Choose IPv6 if request originator address is IPv6, else IPv4

But all result in IPv6 DNS still being handed out to clients. I think this is confusing clients and thus crapping out of internet randomly.

Eg-

Default Server: UnKnown
Address: 192.168.39.1

> cnn.com
Server: UnKnown
Address: 192.168.39.1

Non-authoritative answer:
Name: cnn.com
Addresses: 2a04:4e42::323
2a04:4e42:600::323
2a04:4e42:400::323
2a04:4e42:200::323
151.101.1.67
151.101.129.67
151.101.193.67
151.101.65.67

 

I DONOT have IPv6 enable anywhere in Sophos. Its not on in my PPPoE dial up, its not on any interface, its not on in dhcp or any other hidden location. My network is pure IPv4.(Ofcourse I cannot disable IPv6 in windows clients)

 

How to resolve this.

 

Thank you

nitin



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to rfcat_vk

    Hello 

    Below are the screenshots. IPv6 not clicked anywhere. I noticed the disconnects on DNS since 17.4 I think(the IPv6 answers) so XG engineers can check if this is a regression.

     

    And then I have added problem of Bridge(Which is useless in XG as it is just what the name says - a bridge of packets and cannot be used to have VLAN or multi DHCP)- But that is for different discussion.

  • 0 in reply to Nitin Mirchandani

    Hi Nitin,

    you added additional information that is missing from your original post. The device you use as your gateway for the bridge XG has IPv6 enabled and passing over the results.

    If you test a site from the XG GUI diagnostics what do you see as the result?

    I don't use a bridge on my system and most certainly do not see any IPv6 traffic even with the external internal IPv6 enabled because I do not have any IPv6 rules or functions enabled on the internal networks.

    Ian

    I suspect you will need to submit a feature request if one does not already exist for VLANs on a bridge

  • 0 in reply to rfcat_vk

    Hello

    Quote

    The device you use as your gateway for the bridge XG has IPv6 enabled and passing over the results.

    Unquote.

     

    XG is the gateway. XG is the dialup(PPPoe) to internet.

    XG = 192.168.39.1. Use DNS of My Provider.

    XG= DHCP Server, Leases with DNS = 192.168.39.1

     

    No -in Lookup on diagnostics page, only IPv4 address appear. So, 192.168.39.1(XG) is magically responding to clients with IPv6 DNS entries, even though IPv6 seems to be disabled all through.

     

    Can you please point where I have enabled the IPv6 (as quoted above). If you mean that my provider is IPv6 enabled, I cannot do anything about it. I just want IPv6 out of my network.

    Is it because Xg doesnot have a DNS server built in (Oh xxx, it doesnot have VLAN, it doesnot have DNS, i doesnot have NTP, it doesnot have proper DHCP....), it just copies the response from my ISP and hands it over to clients without even thinking what is being replied.

    But again - my PPPoE is not IPv6 enabled.

  • 0 in reply to Nitin Mirchandani

    Next trick, try a tracert from a PC to an IPv6 address and see where it goes and at the same time have the log viewer open to see which rule is allowing the traffic.

    Ian

  • 0 in reply to rfcat_vk

    As an update of this issue - The network seems stable after I disabled the advanced threat.

    Thank you for the replies.

     

    My next step is to remove the bridge without loosing the configuration (As bridge implementation is half baked in XG)