Is it possible to use one DNS server to get IPv4 addresses and another to get IPv6 addresses?

Ninedyz · January 5, 2021, 1:53pm

Hi,

I'm currently using one ISP for IPv4 access and another for IPv6. That means, DNS results can be different, depending on which network (IPv4 or IPv6) I'm using for DNS queries. Example:

PS C:\Users\Nined> nslookup download.microsoft.com 240c::6666
Server:  UnKnown
Address:  240c::6666

Non-authoritative answer:
Name:    zlxxipv6.v.lxcvc.com
Addresses:  2409:8c3c:3f00:2::1:42
          2409:8c20:5021:102::1:1b
          2409:8c3c:3f00:2::1:16
          2409:8c20:5021:102::1:13
          2409:8c3c:3f00:2::1:1e
          2409:8c20:5021:102::1:d
          112.25.62.133
          182.18.80.9
          182.18.80.7
          182.18.80.10
          36.156.38.121
          112.28.234.55
          112.28.224.53
          182.18.80.5
          182.18.80.8
          182.18.80.6
Aliases:  download.microsoft.com
          dlc-shim.trafficmanager.net
          download.microsoft.com.ccgslb.com.cn
          download.microsoft.com.lxcvc.com

PS C:\Users\Nined> nslookup download.microsoft.com 1.2.4.8
Server:  public1.sdns.cn
Address:  1.2.4.8

Non-authoritative answer:
Name:    zlxxipv6.v.lxcvc.com
Addresses:  2408:873c:b010:2001:1000:0:1:15
          2408:8719:5301::1:14
          2408:8726:9000:200:0:2:0:20e
          2408:873c:b010:2001:1000:0:1:14
          2408:8726:9000:200:0:2:0:20a
          2408:873c:b010:2001:1000:0:1:18
          121.22.231.17
          121.22.231.14
          121.22.231.15
          121.22.231.18
          121.22.231.16
          121.22.231.13
Aliases:  download.microsoft.com
          dlc-shim.trafficmanager.net
          download.microsoft.com.ccgslb.com.cn
          download.microsoft.com.lxcvc.com

Since sometimes downloading from CDN servers deployed on a different ISP's network can be really slow, I'm wondering if OpenWrt can be configured to use one DNS server to get IPv4 addresses, and another to get IPv6 addresses. It would be something like this:

PS C:\Users\Nined> nslookup download.microsoft.com
Server:  [The router]
Address:  [IP address of the router]

Non-authoritative answer:
Name:    zlxxipv6.v.lxcvc.com
Addresses:  2409:8c3c:3f00:2::1:42
          2409:8c20:5021:102::1:1b
          2409:8c3c:3f00:2::1:16
          2409:8c20:5021:102::1:13
          2409:8c3c:3f00:2::1:1e
          2409:8c20:5021:102::1:d
          121.22.231.17
          121.22.231.14
          121.22.231.15
          121.22.231.18
          121.22.231.16
          121.22.231.13
Aliases:  download.microsoft.com
          dlc-shim.trafficmanager.net
          download.microsoft.com.ccgslb.com.cn
          download.microsoft.com.lxcvc.com

Any help would be appreciated. Thanks in advance.

dlakelan · January 5, 2021, 3:21pm

I'm going to guess the answer is no. There might be something in dnsmasq man page http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

anon50098793 · January 5, 2021, 3:27pm

it would work if you also ensure each client is only delivered an ip ( host ip, not dns-server ) for their respective version...

dlakelan · January 5, 2021, 3:29pm

I think he's talking about a dual stack lan but with two different providers one for each stack.

anon50098793 · January 5, 2021, 3:32pm

edit: response below based on false assumption clients would use one upstream connection only.

indeed... you can't limit the (dns) ip's delivered to the client ( conventionally aka with dnsmasq although i'm not 100% on that )... the dual dns-servers is simply per connection record keeping...

you can limit the hosts a client will connect to... either by issuing them one stack only... or discarding the non-preferred stack at the router either in the firewall or the routing rules.

edit...: now that I think about it... routing should take care of most of that normally if as the op says each upstream connection is one stack only... and adequate pbr / gw's etc are in place per client.

dlakelan · January 5, 2021, 3:50pm

I think the issue is this:

ISP A is ipv4 only and has a DNS server DNSA
ISP B is ipv6 only and has a DNS server DNSB

If you want to make an ipv4 connection, using addresses returned by DNSA results in better (closer) connections.

If you want to make an ipv6 connection, using addresses returned by DNSB results in better (closer) connections.

So ideally you ask for A and AAAA records, and it returns A records from DNSA and AAAA records from DNSB

but I don't know how that would be possible.

Ninedyz · January 5, 2021, 3:50pm

Maybe like this picture:

trendy · January 5, 2021, 4:00pm

I know you can ignore some reply types. For example:

address=/netflix.com/::
server=/netflix.com/#

will return only IPv4 addresses. I don't know however if it can be generalized.
Another idea would be to mark somehow the queries based on the type, but I am not aware if there is such deep packet inspection available.

dlakelan · January 5, 2021, 4:12pm

Another idea that might work well is to use a different DNS entirely. The Cloudflare system for example. Maybe it returns less customized and more generally applicable results?

Ninedyz · January 5, 2021, 4:38pm

Unfortunately in China, Cloudflare could only be worse...

Ping statistics for 2606:4700:4700::1111:
    Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
    Minimum = 260ms, Maximum = 262ms, Average = 261ms

Ping statistics for 1.0.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 280ms, Maximum = 281ms, Average = 280ms

Thanks for the advice. I will search if iptables or something like that can be used to "match" all AAAA queries sent to dnsmasq and then "hijack" them to some other DNS server.

Ninedyz · January 5, 2021, 7:26pm

Thanks again for your suggestion. After some search, it turns out that the iptables can do the trick.

I set up 2 new DNS forwarders on 127.0.0.1:5053 and 5054, the first one using IPv4 and the second one using IPv6.

Then I set dnsmasq to forward all (non-local) DNS requests to 127.0.0.1:5053, and used the following command to "hijack" all AAAA queries to 127.0.0.1:5054:

iptables -t nat -A OUTPUT -p udp -d 127.0.0.1 --dport 5053 -m string --algo bm --from 40 --hex-string '|001c|' -j DNAT --to-destination 127.0.0.1:5054

(Matching pattern found here)

Perhaps it's not that elegant, but it works as intended (at least for now):

PS C:\Users\Nined> nslookup download.microsoft.com
Server:  KirimaSyaro.lan
Address:  fdf7:5ec3:9ce8::1

Non-authoritative answer:
Name:    zlxxipv6.v.lxcvc.com
Addresses:  2409:8c20:9c71:101::1:6
          2409:8c20:9c71:101::1:9
          2409:8c20:9c71:101::1:c
          2409:8c20:9c71:101::1:8
          2409:8c50:a00:2004::14
          2409:8c20:5021:102::2:10
          58.20.194.9
          58.20.194.14
          58.20.194.15
          58.20.194.17
          58.20.194.11
          58.20.194.18
          58.20.194.16
          58.20.194.10
          58.20.194.13
          58.20.194.12
Aliases:  download.microsoft.com
          dlc-shim.trafficmanager.net
          download.microsoft.com.ccgslb.com.cn
          download.microsoft.com.lxcvc.com

Cheers!

system · January 15, 2021, 7:26pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.