System with static IP address started using IPv6 -> Firefox/wget: Server Not Found

Hi everyone

Small problem here, not sure what was causing it.
On my work machine I have a cable connection with a static IPv4 address.

Today I had a lot of “Server Not Found” errors when browsing new websites.
After pinging the websites for a while, they were magically found again.

I’ve observed this behavior in Firefox 47 and in wget.
Ubuntu MATE 16.04 LTS

I noticed in the terminal that wget attempted to connect using an IPv6 address, and was not falling back to an IPv4 address when that failed. I suspect Firefox was doing the same thing.
This is very weird.

I’m pretty sure my school’s network doesn’t even route IPv6.
Edit: I’ve now verified that our DNS server does not provide AAAA records (IPv6 records)

I have since set in my connections settings IPv6 to ignore (and rebooted - unrelated) and now everything appears to be running fine, but I don’t understand why there was no fallback to IPv4 lookup.

Anyone else experienced something like that?

Cheers

Something on the network is probably sending “poison icmp redirects”. Seen it before on spoofing attacks.

1 Like

I will read up on that. Thank you because I had no idea where to begin the investigation.

Hi @ouroumov,

have you tried setting IPv6 to "Ignore"?:

if it helps this is one of the first things I do on new install

Disable ipv6
sudo nano /etc/sysctl.conf

IPv6 disabled

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
Restart sysctl.conf
sudo sysctl -p

in Grub

sudo nano /etc/default/grub
Change
GRUB_CMDLINE_LINUX=""
to
GRUB_CMDLINE_LINUX=“ipv6.disable=1”

sudo update-grub ( or/maybe )
sudo update-grub2

Not sure if you need both or just one or maybe just the Grub

1 Like

I have been seeing “telnet attacks” here. That is usually just a DoS type of attack but could have other consequences. Rate is about 1 per minute :sob:

Okay, this is starting to rub me the wrong way:

ouroumov@Bloc:~/Desktop$ wget https://ubuntu-mate.community/
--2016-07-26 08:52:56--  https://ubuntu-mate.community/
Resolving ubuntu-mate.community (ubuntu-mate.community)... 2400:cb00:2048:1::681c:1858, 2400:cb00:2048:1::681c:1958
Connecting to ubuntu-mate.community (ubuntu-mate.community)|2400:cb00:2048:1::681c:1858|:443... failed: Network is unreachable.
Connecting to ubuntu-mate.community (ubuntu-mate.community)|2400:cb00:2048:1::681c:1958|:443... failed: Network is unreachable.

ouroumov@Bloc:~/Desktop$ ping ubuntu-mate.community
PING ubuntu-mate.community (104.28.25.88) 56(84) bytes of data.
64 bytes from 104.28.25.88: icmp_seq=1 ttl=57 time=13.2 ms
64 bytes from 104.28.25.88: icmp_seq=2 ttl=57 time=13.2 ms
64 bytes from 104.28.25.88: icmp_seq=3 ttl=57 time=13.2 ms
64 bytes from 104.28.25.88: icmp_seq=4 ttl=57 time=13.3 ms

ouroumov@Bloc:~/Desktop$ dig ubuntu-mate.community

; <<>> DiG 9.10.3-P4-Ubuntu <<>> ubuntu-mate.community
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28258
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 3843
;; QUESTION SECTION:
;ubuntu-mate.community.        IN    A

;; ANSWER SECTION:
ubuntu-mate.community.    186    IN    A    104.28.24.88
ubuntu-mate.community.    186    IN    A    104.28.25.88

;; AUTHORITY SECTION:
ubuntu-mate.community.    19682    IN    NS    duke.ns.cloudflare.com.
ubuntu-mate.community.    19682    IN    NS    lisa.ns.cloudflare.com.

;; Query time: 0 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Tue Jul 26 08:54:25 CEST 2016
;; MSG SIZE  rcvd: 137


ouroumov@Bloc:~/Desktop$ wget https://ubuntu-mate.community/
--2016-07-26 08:55:56--  https://ubuntu-mate.community/
Resolving ubuntu-mate.community (ubuntu-mate.community)... 2400:cb00:2048:1::681c:1858, 2400:cb00:2048:1::681c:1958
Connecting to ubuntu-mate.community (ubuntu-mate.community)|2400:cb00:2048:1::681c:1858|:443... failed: Network is unreachable.
Connecting to ubuntu-mate.community (ubuntu-mate.community)|2400:cb00:2048:1::681c:1958|:443... failed: Network is unreachable.

ouroumov@Bloc:~/Desktop$ wget https://ubuntu-mate.community/
--2016-07-26 08:57:56--  https://ubuntu-mate.community/
Resolving ubuntu-mate.community (ubuntu-mate.community)... 104.28.24.88, 104.28.25.88, 2400:cb00:2048:1::681c:1858, ...
Connecting to ubuntu-mate.community (ubuntu-mate.community)|104.28.24.88|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’

index.html              [ <=>                ]  84,32K  --.-KB/s    in 0,03s   

2016-07-26 08:57:56 (2,43 MB/s) - ‘index.html’ saved [86342]

Note that I didn’t do anything between when it was failing and when it decided not to fail anymore.
I have Ipv6 set to “Ignore” in Network Connections.

I’m gonna follow @Blank’s advice and kill IPv6 in sysctl.conf it that continues.

@Dave_Barnes, to me it looks like one of those three options:

  • Some parts of the system are not hitting the DNS cache
  • DNS Cache is poisoned and PING is ignoring the DNS cache.
  • System is using IPv6 and refuses to fallback to IPv4 for some reason.

But the second option would be weird: why would the dig response from 127.0.1.1#53(127.0.1.1) be correct?

Did you try “Ignore” like I suggested?. :smiley:

Sure looks like DNS problem upstream. You DNS server (127.0.1.1) is getting IPv6 data from some upstream DNS server that is either spoofing or misconfigured.

It could even be a bug in dnsmasq. IPv6 support was added to dnsmasq somewhat recently – it could be buggy. You might want to try disabling or removing the dnsmasq junk.

The setting for dnsmasq is in /etc/NetworkManager/NetworkManager.conf – you just put a # in front of the “dns=dnsmasq” line. I also remove the “resolvconf” package as it seems to interfere with DNS somehow. YMMV. Unix ran fine for decades without dnsmasq and resolvconf so I can’t see why it is needed now.

If disabling IPv6 does not solve the problem then I would definitely look at the network with wireshark to see what is going on.

Check the DNS servers you are pointing to. That info used to be in /etc/resolv.conf but now with dnsmasq and resolvconf it is buried somewhere else :grimacing:

I used to have similar problems here. I gave up with my ISP and just use Google (8.8.8.8 and 8.8.4.4) DNS servers.

box99@user7:~$ dig @8.8.8.8 ubuntu-mate.community.

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @8.8.8.8 ubuntu-mate.community.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2159
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ubuntu-mate.community.		IN	A

;; ANSWER SECTION:
ubuntu-mate.community.	271	IN	A	104.28.25.88
ubuntu-mate.community.	271	IN	A	104.28.24.88

;; Query time: 29 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Jul 26 10:51:23 CDT 2016
;; MSG SIZE  rcvd: 82

Yes, I tried it. :] it had no effect.

So, update. The problem has now been worked around.

I changed two things:

  1. Killed IPv6 in sysctl.conf
  2. Added the school’s DNS server in “Network” settings

[1] was not enough by itself to solve my problem, firefox still could not find servers, though wget could.

[2] I suspect this is what helped here.
Yes, I mean “Network” settings, not “Network Connections” settings.
I had never used “Network” settings before.
It was weirdly set too:

  • DNS Server had just one entry: 127.0.1.1, and not the school’s DNS that are correctly set in “Network Connections” settings
  • Search Domains had my school’s domain, which it took from “Network Connections” settings

I don’t understand why one settings was mirrored there but not the other.

Next time I power-cycle, I will re-enable IPv6 and see if it breaks things again.

But no one else on the network is having host resolution issues, I’m the only one affected and we’re all in the same LAN.

Maybe this is what the “Network” settings is using?

1 Like

If resolvconf is managing the “Network Settings: DNS Servers” then I would expect it to revert back to 127.0.1.1 upon reboot. Normally, with resolvconf, the /etc/resolv.conf file is a link to /run/resolvconf/resolv.conf and contains only the entry for “server 127.0.1.1” and a warning not to modify.

I think you are seeing some of the same problems I saw with dnsmasq and resolvconf. That stuff was developed long after I retired so I don’t have a lot of good experience with them. The problems may go away when IPv4 is retired (if ever :slight_smile:).

Many years ago I wrote a bash script to do the steps I described above to remove dnsmasq and resolvconf for my Internet facing systems - routers/firewalls.

I tried all the above. none of it worked, with the exception of: “ipv6.disable=1”, which removes ipv6 from the stack.

What I found that works every time is to edit “/etc/gai.conf”, and allow “precedence ::ffff:0:0/96 100” by removing “#”.

I reported this on ubuntuforums .