2

One of my my domains (lets say hackedd.nl) has a catch-all CNAME record pointing to hackedd.nl, which has both A and AAAA records. This all seems to work fine.

However, if the /etc/resolv.conf file on my server has a line specifying search hackedd.nl, the resolver seems to prefer the IPv6 CNAME over an actual IPv4 A reply for servers that don't have an IPv6 address. For example:

curl -vsI http://security.ubuntu.com/ >/dev/null
* About to connect() to security.ubuntu.com port 80 (#0)
*   Trying 2a02:2770::21a:4aff:fecb:a0f8... connected

Where 2a02:2770::21a:4aff:fecb:a0f8 is the server's own IPv6 Address...

Is there any way to make the resolver try IPv4 before trying the search list?

hackedd
  • 123
  • 3
  • 1
    Welcome to the whole reason that [RFC4592](http://tools.ietf.org/html/rfc4592) was written. The DNS is working as designed, and your search list has nothing whatsoever to do with it, except insofar as a wildcard on a search list domain is *always* going to end in tears. – womble Jul 12 '12 at 03:32

1 Answers1

8

This is working as designed.

Preferring IPv6 over IPv4 is the default configuration for most computers. To use IPv4 instead of IPv6, the computer must be specifically set up for this (varies by OS).

If you want specific hostnames to be inaccessible via IPv6, then you'll have to remove the wildcard CNAME and use records only for the specific hosts you want to be accessible via IPv6.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • I realize that it's working as designed, and having a wildcard CNAME in my search list is probably not a good idea anyway, but I was wondering if there is any way to try IPv4 before trying the search list... – hackedd Jul 12 '12 at 08:45
  • No, there really isn't. As @womble said, having a wildcard on your domain, when that domain is in your `search` list, is always going to cause trouble. I had this configuration once, long ago, and ended up removing the search domain from `/etc/resolv.conf`. I didn't really need it there after all. – Michael Hampton Jul 12 '12 at 14:47