Friday, November 22, 2019

D'oH! no-IPv6-workaround trickery

I added a workaround to my harddns DoH project. Some browsers accept AAAA records and prefer them over A records, even when there is no IPv6 connectivity. Inside the NSS module, it is hard to distinguish these cases and its certainly not our task to check for IPv6 connectivity during DNS resolves. Therefore, I added a nss_aaaa config flag, which needs to be enabled if you want the NSS module to lookup AAAA records for certain gethostbyname() calls. Certain - because within various incarnations like gethostbyname2(), getaddrinfo() etc., some of these functions lead to NSS ‘backend’-functions which can make the case by checking an address-family parameter. Some functions can’t and will use the nss_aaaa helper flag from the harddns config. It is disabled by default, so if you use harddns via the NSS config, you need to enable it, if you have IPv6 connectivity and want to profit from it. The DoH proxy server works as before, since its just translating between DNS and DoH back and forth.