fix(network): suppress external AAAA when host IPv6 egress is unavailable#637
fix(network): suppress external AAAA when host IPv6 egress is unavailable#637mdsalnikov wants to merge 2 commits intosuperradcompany:mainfrom
Conversation
mdsalnikov
force-pushed
the
fix/607-filter-aaaa-without-ipv6-egress
branch
from
0875086 to
a0d02c6
Compare
| let probe_addr = Ipv6Addr::new(0x2606, 0x4700, 0x4700, 0, 0, 0, 0, 0x1111); | ||
| TcpStream::connect_timeout( | ||
| &SocketAddr::new(IpAddr::V6(probe_addr), 443), | ||
| Duration::from_millis(250), | ||
| ) | ||
| .is_ok() |
There was a problem hiding this comment.
hmm. opening a TCP connection here increases latency significantly. plus, it makes us dependent on cloudflare, which isn't something we want.
i really do think there's more to the bug than is. for sanity, can you try running the following on your host:
curl -6 -m 5 -s -o /dev/null -w '%{http_code}\n' https://[2606:4700:4700::1111]/trying to distill if this is some issue in our DNS interception layer, or somewhere else? if you're free, can you shoot me a message on discord so we can troubleshoot?
There was a problem hiding this comment.
curl -6 -m 5 -s -o /dev/null -w '%{http_code}\n' https://[2606:4700:4700::1111]/
000
There was a problem hiding this comment.
Replaced to 0x2001, 0x0db8, 0, 0, 0, 0, 0, 1 that is reserved specifically for documentation examples
And in this version it should be faster
Return DNS NODATA for external AAAA queries when the host cannot route IPv6, while preserving IPv4 fallback and internal host alias resolution.
mdsalnikov
force-pushed
the
fix/607-filter-aaaa-without-ipv6-egress
branch
from
a0d02c6 to
76a57b0
Compare
2 participants
Summary
Fixes #607
This PR prevents guests from receiving external AAAA DNS answers when the host cannot route external IPv6 traffic. In that case, the DNS forwarder now returns a successful NODATA response for external AAAA queries, allowing clients such as
httpx.AsyncClientto fall back to IPv4.The internal
host.microsandbox.internalAAAA response is preserved.Motivation
Async HTTP clients may attempt IPv6 connections when the guest receives AAAA records. On hosts without usable external IPv6 routing, those connections fail before the client reaches the working IPv4 path, causing errors such as:
httpx.RemoteProtocolError: Server disconnected without sending a responseSynchronous clients often avoid the issue by using IPv4 first, which is why the failure was client-dependent.
Changes
NoErrorand no answers when IPv6 egress is unavailable.host.microsandbox.internalAAAA behavior unchanged.Test Plan
cargo fmt --all --checkcargo build -p microsandbox-clicargo test --workspacecargo clippy --workspace -- -D warningscargo doc --workspace --no-depspre-commit run --all-filesno-commit-to-branch, because the local branch was protected.msb:requestsclient succeeds.httpx.AsyncClientclient succeeds.Need help on this PR? Tag
@codesmithwith what you need.