Closed Bug 68796 Opened 24 years ago Closed 21 years ago

IPv6 : Some IPv4 addresses won't resolve w/IPv6 OS

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.7beta

People

(Reporter: john, Assigned: lorenzo)

References

(
URL
)

Details

Attachments

(4 files, 11 obsolete files)

Test program gethost2.c
1.23 KB, text/plain
Details
v2 patch
14.53 KB, patch
lorenzo
: review+
Details | Diff | Splinter Review
same as above, but with clearer comments
815 bytes, patch
darin.moz
: review+
Details | Diff | Splinter Review
Fix missing "
679 bytes, patch
darin.moz
: review+
darin.moz
: superreview+
Details | Diff | Splinter Review
When IPv6 is enabled in the kernel (and in the DNS machine, and named is compiled against the IPv6-enabled kernel), some hostnames won't resolve for Mozilla, though all other programs resolve them fine. news.bbc.co.uk is one of them as is, delightfully, ad.doubleclick.net. But the vast majority of other hostnames resolve just fine. What's interesting is that when I type "host news.bbc.co.uk" into a terminal, thus causing named to look it up correctly, and then immediately ask Mozilla to browse there, it finds it without trouble. But a minute or two later, and Mozilla can't find it again. Is this a named bug, glibc bug, or a Mozilla issue? A strace of named shows that, in the failure case, named *is* returning the correct IP address of the host, but the browser/resolver library disregards this, and asks for the hostname with ".localdomain" tacked on the end, as per my local setup. But after a successful lookup from the "host" command, the correct IP address is received and the browser goes to the right page. Anyone else seeing this?
Hmmm this sounds like a glibc probem. Are you having this problem with other applications as well or Just Mozilla? What build are you using?
Latest I've tried it with is 2001021321 with glibc-2.2.1 but I'll get another nightly tonight and test that. I'm not having this problem with any other applications (yet).
Still not working with nightly 2001021809. It is only a *very* few hostnames that won't resolve. So far, I have only found non-resolvable names within the BBC domain (bbc.co.uk and bbc.net.uk) and doubleclick.net.
Very odd...what happens when you try and ping them etc? maybe can we capture the dns lookup that is going on (with snort or something). Its odd it only occurs on those sites..
Mozilla differs from other applications by (on Linux) calling gethostbyname2(name, AF_INET6) instead of gethostbyname(). If that call returns NULL, it will then try gethostbyname2(name, AF_INET). This would seem to be a problem with the DNS subsystem. Perhaps the name servers for these destinations have IPv6 addresses which are not reachable from your network?
I have a guess: NSCD daemon is running and it is caching things. If it gets a "soft" lookup failure, it appears to present those to gethostbyname*() function as HARD failures, which causes all kinds of merriment. I am pretty sure that (Linux) glibc 2.2(.1) nscd is borken, kill it, and things should work far better. To some degree this may also be a duplicate of bug #66872, but perhaps not..
Relieving tever of IPv6 related QA.
QA Contact: tever → benc
setting bug status to New
setting bug status to New
Status: UNCONFIRMED → NEW
Ever confirmed: true
Target Milestone: --- → mozilla1.0
It looks like a bug of mozilla. I am using mozilla0.9.5 on RH Linux7.2, which uses ipv6 net utils. When ipv6 is enabled in the kernel, some addresses (in my case http://www.yomiuri.co.jp;Japanese site) have troubles. At least ncftp has no problems with ipv6 addresses and ncftp has a trouble when login to ftp.iij.ad.jp if ipv6 is disabled. So glibc doesn't matter(I use glibc-2.2.4-19). DNS service looks working fine for ipv6 addresses.
check to see what addresses are returned. I'm not so IPv6literate, but I think there is some nslookup version that shows the new address record type.
Bugs targeted at mozilla1.0 without the mozilla1.0 keyword moved to mozilla1.0.1 (you can query for this string to delete spam or retrieve the list of bugs I've moved)
Target Milestone: mozilla1.0 → mozilla1.0.1
*** Bug 114276 has been marked as a duplicate of this bug. ***
Sorry for late response. I checked ip addresses returned by dig. For ex, "dig www.6bone.net aaaa" returns: --snip-- ..... ;; ANSWER SECTION: www.6bone.net. 43047 IN CNAME 6bone.net. 6bone.net. 43047 IN AAAA 3ffe:b00:c18:1::10 ...... --snip-- but "dig www.yomiuri.co.jp aaaa" doesn't return an IPv6 ip address. So I guess glibc is working fine. Actually some IPv6 pages work fine.
Please check to see if any of the *name servers* used in resolving the DNS request have IPv6 addresses. Please check to see if these addresses are reachable.
*** Bug 134215 has been marked as a duplicate of this bug. ***
I have the same problem. Using FreeBSD 4.5 - Mozilla 0.9.9. --------------------------------- bash-2.05a$ nslookup news.bbc.co.uk Server: cedar.ukc.ac.uk Address: 129.12.21.8 Non-authoritative answer: Name: newswww.bbc.net.uk Address: 212.58.226.40 Aliases: news.bbc.co.uk ------------------------- Can reach the site fine, and the first few (about 5) clicks to other pages on the site, after that i get the message "news.bbc.co.uk could not be found be check the address and try again". The GENERIC kernel for FreeBSD includes IP6 support.
Summary: Some addresses won't resolve with IPv6 in kernel → IPv6 : Some addresses won't resolve
Summary: IPv6 : Some addresses won't resolve → IPv6 : Some IPv4 addresses won't resolve w/IPv6 OS
For news.bbc.co.uk, at least, this was a problem with their DNS server, not with mozilla. As described on NANOG: http://www.merit.edu/mail.archives/nanog/2002-04/msg00562.html When IPv6 is enabled on the client machine, mozilla does a AAAA lookup first, and if there is none, does a lookup for the A record. Correct response for a name server if there is no AAAA record (but the domain exists) is to return NOERROR, with an empty reply. The BBC server returned NXDOMAIN (which was incorrect), and mozilla exhibited correct behaviour by assuming that the domain did not exist. (I don't know if this was mozilla's behaviour, or that of some library that was doing the lookups; either way the client was not at fault). Bug has since been fixed by the BBC and the site is now reachable just fine in v6 land. On the users@ipv6.org list, it was reported that the BBC use custom DNS software based on lbnamed - http://www.stanford.edu/~riepel/lbnamed/ - and they reckon that it's that package that has the bug.
I think the same behavior described by the poster in Comment 18 is happening with ad.doubleclick.net, except it is returning SERVFAIL instead of NXDOMAIN on queries. Example: pkw@voldemort:~/ > dig ad.doubleclick.net. aaaa ; <<>> DiG 9.2.0 <<>> ad.doubleclick.net. aaaa ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 13327 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ad.doubleclick.net. IN AAAA ;; ANSWER SECTION: ad.doubleclick.net. 46 IN CNAME gd25.doubleclick.net. ;; Query time: 6053 msec ;; SERVER: 9.53.159.2#53(9.53.159.2) ;; WHEN: Thu May 9 17:23:25 2002 ;; MSG SIZE rcvd: 55
I found that PR_GetIPNodeByName(PR_AF_INET6, PR_AI_ADDRCONFIG) is not implemented correctly on platforms that use gethostbyname2. Currently, AIX, FreeBSD, Linux, and NetBSD are using gethostbyname2. I filed bug 144886 about this PR_GetIPNodeByName bug and attached a patch. Please test that patch (attachment 83810 [details] [diff] [review]). Note that that patch only avoids the problem on hosts that only have IPv4 source addresses configured (which is the common case). If your host has IPv6 source addresses configured, I suspect that that patch won't help.
This test program calls gethostbyname2(AF_INET6). You can run it with various host names and see it succeeds (for example, www.6bone.net) or fails (most hosts don't have IPv6 addresses). In particular, run gethost2 ad.doubleclick.net This blocks for a long time and then fails. On Red Hat Linux 7.1 (spd13.mcom.com), it fails with error code 2 (TRY_AGAIN). On AIX 4.3.3 (spd12.mcom.com), it fails with error code 1 (HOST_NOT_FOUND).
Target Milestone: mozilla1.0.1 → Future
For ad.doubleclick.net, the load-balancing nameserver responds to MX or AAAA queries by returning a response with an empty question section. This violates RFC 1034 and causes the intermediate nameserver to be unable to correlate the answer with the query.
*** Bug 128898 has been marked as a duplicate of this bug. ***
*** Bug 148362 has been marked as a duplicate of this bug. ***
You can work around these DNS lookup problems on IPv4-only hosts by implementing the _pr_QueryNetIfs function in mozilla/nsprpub/pr/src/misc/prnetdb.c. Right now that function is only implemented for AIX. For FreeBSD (and possibly NetBSD and OpenBSD too) that function can be easily implemented with the getifaddrs(3) function.
moving neeti's futured bugs for triaging.
Assignee: neeti → new-network-bugs
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.5b) Gecko/20030914 Mac OS X 10.2.6 (IPv6 ready) I've struggled with this bug since bug 205726 (DNS rewrite) was checked in. Some websites like www.gva.be have become much slower, probably because getaddrinfo is now used instead of gethostbyname. I've noticed that most problematic websites were using *.doubleclick.net , which is ofcourse is a high-profile website, since it provides a large portion of all ads in the world. To see the difference, compare the output of the following 2 statements : host -d -t a ad.doubleclick.net (or nslookup -type=a ad.doubleclick.net) host -d -t aaaa ad.doubleclick.net (or nslookup -type=aaaa ad.doubleclick.net) Workaround is to use a proxy-server of my ISP, which isn't using IPv6 yet. Note that image-blocking is helping too, if you have that particular server in your blockinglist.
Wouldn't it be possible to query for the AAAA and the A records in parallel (not serially), and use the first one that responds ? It affects any website that uses *.doubleclick.net, for example : http://www.theregister.co.uk/
Assigned the bug to Darin.
Assignee: new-network-bugs → darin
About the suggestion to look up A and AAAA records in parallel - my colleagues at the ISP where I work have some experience with resolver libraries out there that in the past have exhibited this behaviour. It's not fatal, and will work, but it's quite difficult to work with. In particular it introduces some non-determinism to the lookup process. Bugs become a lot harder to diagnose and fix as reproducing them is a hassle, especially when it's not clear if a particular problem might be an IPv6-only or IPv4-only. This would build resolver functionality into the client. Again not fatal in itself, but it's redundant with all that that entails - system administrator can no longer make global changes to resolving behaviour as applications do their own thing. Also it is an ugly workaround where it would perhaps be preferable to continue to try to have the underlying problem fixed. A colleague suggests that if a workaround is necessary, it might be better to work with the library: call getaddrinfo with ai_family = AF_INET6 , but use alarm() or similar to enforce a short timeout, and then do the AF_INET lookup.
*** Bug 219512 has been marked as a duplicate of this bug. ***
Wan-Teh, comment #25 is no longer relevant to Mozilla, correct? From my reading of current NSPR code, if a native getaddrinfo() function can't be found, PR_GetAddrInfoByName() falls back to an IPv4-only DNS lookup. This problem is limited to machines with at least one configured IPv6 interface, is it not?
Comment #25 is no longer relevant to Mozilla. Comment #25 is concerned with PR_GetIPNodeByName, and Mozilla is no longer using that function.
Confirmed this problem on Mac OS. BTW, an old Japanese document shows a sample code without using AF_INET like as follows. http://playground.iijlab.net/iij.news/4.html int s; struct addrinfo hints, *res, *res0; memset(&hints, 0, sizeof(hints)); hints.ai_family = PF_UNSPEC; hints.ai_socktype = SOCK_STREAM; getaddrinfo("www.kame.net", "http", &hints, &res0); for (res = res0; res; res = res->ai_next) { s = socket(res->ai_family, res->ai_socktype, res->ai_protocol); if (connect(s, res->ai_addr, res->ai_addrlen) < 0) { close(s); continue; } break; } freeaddrinfo(res0);
This affects Camino on Mac OS X 10.2. See bug 219512, bug 223221. Severity to major. Resetting OS (it was Linux), target milestone, and hardware. Another site this makes effectively impossible to browse in Camino: scifi.com (that should motivate people ;-) You don't need to use the attachment to test this... on Mac OS X 10.2.8 I get the following output: [simons-tibook2:~] woodside% time host ad.doubleclick.net ad.doubleclick.net is a nickname for gd18.doubleclick.net gd18.doubleclick.net has address 206.65.183.95 0.000u 0.000s 0:40.14 0.0% 0+0k 2+0io 0pf+0w Check out the wall clock time: 40 seconds!
Severity: normal → major
OS: Linux → All
Hardware: PC → All
Target Milestone: Future → ---
I don't understand. This is a bug in doubleclick's DNS servers. What do you think mozilla should do, except turn off IPv6 support?
End users don't really care whose bug it is. All they know is Mozilla family of browsers are now the only ones with this problem. What's more, the previous versions of Mozilla did not have it. This all comes down to who the software is for. The developer, or the users. I would choose the later.
Stephen, Simon: before adding workarounds we should make sure that doubleclick has been contacted. Note that this also occurs on Windows (except the timeout is 15 seconds) if IPv6 is turned on, including IE (since it's not bug in the client). So can you try and contact doubleclick about this? Another thing: are the people who see the bug using IPv6 (even having an IPv6 address counts)?
Simon, another thing: does OS X support the AI_ADDRCONFIG flag? "man getaddrinfo" should tell you, I think.
I've written twice to doubleclick.net in september, but I didn't get any response. I don't have the developer tools installed here, but Apple's manpage at http://developer.apple.com/documentation/Darwin/Reference/ManPages/html/getaddrinfo.3.html doesn't mention AI_ADDRCONFIG at all. But the flag is mentioned on another page, in http://developer.apple.com/documentation/Darwin/Reference/ManPages/html/freehostent.3.html .
I never turned IPv6 on, it must be on by default in OS X 10.2.8 (test: can you see the dancing kame ? http://www.kame.net/kame-mosaic.html )
IPv6 is turned on by default since 10.2 I think (I'm running Mac OS X 10.2.8). Panther provides some GUI-controls for IPv6, but Jaguar doesn't have them yet. I can see IPv6 mentioned in the reports of netstat and ifconfig, and I can query for AAA-records (ofcourse), but my ADSL-provider doesn't supports IPv6 yet. So I can visit www.kame.net and see the dancing turtle, but only in the low-res version (IPv4).
Regarding comment #40, that's funny. The man pages say that getipnodebyname supports the AI_ADDRCONFIG flag (and will not query for AAAA records unless the system has at least one IPv6 address), but getaddrinfo does not. But on the other hand getaddrinfo supports scoped addresses, but getipnodebyname does not. This is strange, because getipnodebyname is deprecated in favour of getaddrinfo (RFC 3493). Someone with OS X and the include files, can you double check that AI_ADDRCONFIG is not defined? Look for it near AI_NUMERICHOST and friends, it should be in netdb.h I think. We should check on both 10.2 and Panther. Since it's not clear to me what benefit scoped addresses have for a browser, a partial workaround for this could be to use getipnodebyname on OS X, i.e. implement PR_GetAddrInfoByName using PR_GetIPNodeByName. This would probably also fix bug 222031. wtc? darin? However, I can't do this, I don't have a mac (too expensive :)).
Another thing: does Panther suffer from this problem too? How long does % host ad.doubleclick.net take on 10.3?
URL: http://news.bbc.co.uk/http://ad.doubleclick.net/
this problem occurs also on FreeBSD 5.1-RELEASE (IPv6 enabled by default). it takes about 80 seconds to http://ad.doubleclick.net/ with Mozilla CVS build. % time host ad.doubleclick.net ad.doubleclick.net is a nickname for gd13.doubleclick.net gd13.doubleclick.net has address 216.73.87.42 0.000u 0.006s 0:20.28 0.0% 0+0k 0+0io 0pf+0w
That's not a huge surprise since OS X and FreeBSD share the same networking stack ;-)
This also affect washingtonpost.com Lorenzo: AFAIK this is not a problem on 10.3. you wrote: > Since it's not clear to me what benefit scoped addresses have for a browser, a > partial workaround for this could be to use getipnodebyname on OS X, i.e. > implement PR_GetAddrInfoByName using PR_GetIPNodeByName. This would probably > also fix bug 222031. wtc? darin? Where in code would this be done? Can you post a patch that's a best guess and we can test it out and go from there?
No, it's not a surprise, since it doesn't depend on the client at all, but only on Doubleclick's DNS servers. :-)
On MacOS 10.3.1, with both Mozilla 1.5 and 1.6a, ad.doubleclick.net resolvs quickly. I have verified that AI_ADDRCONFIG is defined in netdb.h on MacOS 10.3.1 ifconfig reports the following. It would be helpful if people experiencing this problem on MacOS would run Terminal and report what ifconfig reports for them. lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16290 inet6 ::1 prefixlen 128 inet6 fe80::1 prefixlen 64 scopeid 0x1 inet 127.0.0.1 netmask 0xff000000 gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280 stf0: flags=0<> mtu 1280 en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 64.81.73.94 netmask 0xffffff00 broadcast 64.81.73.255 ether 00:03:93:43:9a:b6 media: autoselect (10baseT/UTP <half-duplex>) status: active supported media: none autoselect 10baseT/UTP <half-duplex> 10baseT/UTP <full-duplex> 10baseT/UTP <full-duplex,hw-loopback> 100baseTX <half-duplex> 100baseTX <full-duplex> 100baseTX <full-duplex,hw-loopback> 1000baseTX <full-duplex> 1000baseTX <full-duplex,hw-loopback> 1000baseTX <full-duplex,flow-control> 1000baseTX <full-duplex,flow-control,hw-loopback> fw0: flags=8822<BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 2030 tunnel inet --> lladdr 00:03:93:ff:fe:43:9a:b6 media: autoselect <full-duplex> status: inactive supported media: autoselect <full-duplex>
On Mac OS X 10.2.8 (Jaguar), while connected to a PPPoE connection (IPv4 only) over the en0 interface. The IPv6 address was auto-selected, not given by PPPoE or DHCP. That's why I have an IPv6 address, but it leads to nowhere (only local traffic, not routed over PPPoE). ====== ifconfig ====== lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 inet 127.0.0.1 netmask 0xff000000 gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280 stf0: flags=0<> mtu 1280 en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 tunnel inet --> inet6 fe80::20a:27ff:fed6:491a%en0 prefixlen 64 scopeid 0x4 ether 00:0a:27:d6:49:1a media: autoselect (10baseT/UTP <half-duplex>) status: active supported media: none autoselect 10baseT/UTP <half-duplex> 10baseT/UTP <full-duplex> 10baseT/UTP <full-duplex,hw-loopback> 100baseTX <half-duplex> 100baseTX <full-duplex> 100baseTX <full-duplex,hw-loopback> ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492 inet 213.177.159.135 --> 213.177.159.129 netmask 0xffffff00 ====== netstat -rn ====== Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 213.177.159.129 UGSc 5 1 ppp0 127.0.0.1 127.0.0.1 UH 7 7598 lo0 213.177.159.129 213.177.159.135 UH 6 0 ppp0 Internet6: Destination Gateway Flags Netif Expire UH lo0 fe80::%lo0/64 Uc lo0 link#1 UHL lo0 fe80::%en0/64 link#4 UC en0 0:a:27:d6:49:1a UHL lo0 ff01::/32 U lo0 ff02::%lo0/32 UC lo0 ff02::%en0/32 link#4 UC en0 I'm planning to upgrade to Panther soon, but it's not urgent, so I can wait a few more months to help testing.
Flags: blocking1.6b?
Searching for AI_ADDRCONFIG in google, I came across a thread on the IPv6 working group where people were suggesting that link-local addresses shouldn't count for AI_ADDRCONFIG. This makes a lot of sense to me. The other solution (which Panther seems to have taken) is to not autoconfigure link-local addresses. So unless we get information to the contrary, there is a bug against MacOS 10.2 which has been fixed in MacOS 10.3. Do we have any instances of this problem on platforms where NSPR and not the OS is doing the interface-configured check? We could file a bug against NSPR to ignore link-local addresses in the addrconfig checks it implements itself.
*** Bug 226240 has been marked as a duplicate of this bug. ***
wtc, what do you think about the suggestion in comment #30? It looks like the only way to support IPv6 on Mac and FreeBSD which have really long resolver timeouts.
Note that bug 222031 has now disabled IPv6 support on versions < 10.3. When I'm home tonight, I'll try to verify if this bug is fixed.
Today, it seems fixed for me : Build 2003112705 on Mac OS X 10.2.8 I tried build 2003112603 an hour ago, and it still had the error. I checked about a dozen links that I found in this bug and the bug that were duped against this one. Now I can upgrade to 10.3 :-)
Agreed in my build from cvs last night this seems to be fixed. :-)
Flags: blocking1.6b?
Was fixed a while ago, by the checkin of bug 222031. I have been surfing for a month without the problems that I encountered before. checked on Mac OS 10.2.8 with : Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7a) Gecko/20031229
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
This is not a Mac bug, and it has not been fixed. You're just not seeing it because IPv6 has been turned off in 10.2. Reopening.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Status: REOPENED → ASSIGNED
I am suffering from this bug *a lot* running OS X 10.3.2 and Camino 2004011103. Especially ad.coudleclick.net. My question: Is there a workaround? Can I disable IPv6 in Panther, and if so how?
I disabled ipv6 this morning and hat - so far - no more problems. One way to disable it is in the Network Preference Pane. I did that few days ago but somehow it enabled itself again, so I had to disable it once more. Today I edited /etc/hostconfig and replace YES with NO in IPV6=. I guess a reboot is required to make that change active. I hope thats more "permanent". As said, I changed it today and didn't that much testing so far - no idea, whether this resolves it.
A workaround for those of you who want to keep IPv6: echo ::1 ad.doubleclick.net >> /etc/hosts for i in uk fr de it se dk ch; do echo ::1 $i.doubleclick.net >> /etc/hosts; done (add your own if you like) This will also block their ads and save you bandwidth. We can see this as a form of pressure on them to fix the bug in their DNS server. :)
I went with Lorenzo's suggestion, because I like the idea of giving them incentives to improve ;-) and it works fine. But why ::1? That's localhost in IPv6 lingo no? I used ::0 instead, which I assume corresponds to 0.0.0.0. Anyway, since this seems to be related to misconfigured DNS servers I would like to spread the word. Is there some kind of explanation/evangelism one could send to doubleclick clients, e.g. wired.com, telling them why their revenues is drying up because of this?
The explanation is that doubleclick's DNS servers are incorrectly failing to respond to DNS queries for AAAA records. Per the DNS standard, the servers are required to respond with a zero answer section to queries for extant domains which have no records of the type being queried. This nonconformance on the part of doubleclick causes users of IPv6-capable browsers to have to wait for the DNS query for IPv6 addresses to time out before failing over to the query for IPv4 addresses. Were doubleclick to conform to the DNS standard, this failover would be within milliseconds.
Sure, you and I know that. And presumably doubleclick too, but they don't do anything about it (three years have passed since this bug was reported...) My thought was that perhaps it would be smart to tell doubleclick's *clients* to put some pressure since they are losing money when I'm forced to block ads.
Technically, doubleclick use broken DNS server software that doesn't answer AAAA queries, or indeed anything other than A or MX queries. It should reply immediately with a packet saying that there are no records of the requested type. Sometimes it answers with a SERVFAIL after a minute or two, most of the time it doesn't answer at all.
As I understand it, the doubleclick DNS servers don't return SERVFAIL. It is intermediate, recursive DNS servers which return SERVFAIL when they time out waiting for the doubleclick DNS servers.
Actually, I've seen it from the doubleclick servers as well (a minute or more after the original query). But maybe that is due to load balancing. Most of the time they don't reply at all.
Attached patch Experimental workaround (obsolete) — Splinter Review
I'd appreciate if someone experiencing the problem could test this workaround patch.
Hmm, sounds like a good idea! It could catch most of the worst offenders at very low cost. This approach has already been used for pipelining, see: http://lxr.mozilla.org/seamonkey/source/netwerk/protocol/http/src/nsHttpConnection.cpp#235 Maybe you could rewrite the patch so the code is something like that? Darin, what do you think of an explicit workaround like this?
Aside from needing to use PL_strcasecmp() instead of strcasecmp(), how would you want me to rewrite the patch? The matching needs to be aware of domain boundaries, so a strstr won't cut it. The remaining complexity is trying to optimize strlen() calls, one could reasonably argue that is an undesired microoptimization.
> sizeof(v6brokendomain)/sizeof(v6brokendomain[0]); there's NS_ARRAY_LENGTH for this purpose
Well, I'd kick the len element out of the structure and make brokendomains a string array. Optimizing strlen does not really make much sense IMO since you're talking about DNS queries, which are probably three orders of magnitude slower. And maybe instead of using an extra if(i < sizeof(v6brokendomain)/ ...) after the comparisons I would change the AF directly in the loop, like: int i, len, af = PR_AF_UNSPEC; for (i in domains) { if(domain matches) { af = AF_INET; break; } } ai = PR_GetAddrInfoByName(rec->host, af, PR_AI_ADDRCONFIG); #if defined(RES_RETRY_ON_FAILURE) if (!ai && rs.Reset()) ai = PR_GetAddrInfoByName(rec->host, af, PR_AI_ADDRCONFIG); #endif But of course these are nits (just make the code a little shorter and a little easier to read).
Comment on attachment 139590 [details] [diff] [review] Experimental workaround The NSPR change in this patch is fine by me. (We could also allow af == PR_AF_INET6.)
Attached patch Experimental workaround v2 (obsolete) — Splinter Review
Updated per review comments. I would appreciate it if someone who can reproduce the problem could give this a whirl. I will submit the NSPR portion of this patch as a separate bug.
Attachment #139590 - Attachment is obsolete: true
Depends on: 231786
I'm new in this community, so feel free to ignore my (ignorant?) input, but I find the idea of hard coding domain names almost repulsive. I think a better way would be to either a) let the user edit the list of domains b) maintain a dynamic list and when a timeout is detected add the offender to the list. What do you think? But, I'll test it for you anyway.
The v2 patch works for me (except for strange slowness/hangs on http://www.macosrumors.com on ad server resolution -- another candidate?). I am very satisfied with this workaround. I can leave Java enabled! OS: Tru64 unix V5.1B
Eyvind: you are right, hardcoding is not very elegant. But what can we do? This is a bug in doubleclick's DNS server software, and we can't do anything about that (people have tried to write to them, and nothing has happened). There will likely be similar bugs that affect other web sites, but I don't think it is a common enough feature that it would make sense to add UI for it. Maybe a hidden pref, which users can modify using about:config. That would make name resolution depend on preferences, but if this is not a problem, then maybe a hidden pref is the way to go. Other things that would work: 1. Disable IPv6. I personally am against this. 2. Try IPv4 first, then IPv4. Safari does this. I am also against this. If we don't start using it, IPv6 will never take off. :) 2. Start v6 and v4 DNS lookups in parallel and use the first one that comes back. Problem: introduces non-deterministic behaviour (never a good thing). 3. Set a timeout on IPv6 lookups. If the query takes too long, repeat it using IPv4. Problems: Difficult to find a good timeout (balance between the possibility of slow DNS servers and the of goal optimizing page loads); DNS lookups may take longer; (risk of non-deterministic behaviour). Possible improvement: do both queries at the same time and wait for v6 to complete (but wouldn't gain much).
Yes, a UI is probably overkill and an about:config thingy has the drawback that most users won't understand how to fiddle with it. How about my suggestion b)? Wouldn't that be a reasonable solution. Something like this: At installation, start with an empty list of ipv6-incompatible domains (the list is of course saved to disk between sessions) Before doing DNS lookup, check the list if domain name is in the list do ipv4 lookup else do ipv6 lookup if timeout add domain name to list do ipv4 lookup This could be combined with a background check once in a while to see if domains in the list now works with ipv6 This way you get a simple, flexible, automatic and (almost) deterministic scheme :-)
Attached patch Proposed workaround (obsolete) — Splinter Review
Attachment #139637 - Attachment is obsolete: true
Attachment #139684 - Flags: review?(darin)
I was thinking of writing some code to make this a hidden pref. Proposal: - A string pref which would hold a comma-separated (since comma is not a legal character in a DNS name) list of "broken for v6" domains. - The pref could be in all.js and be contain ".doubleclick.net" by default but people could add/change domains using about:config - The prefs would be read in nsDnsService::Init() with the others and passed to nsHostResolver::Create() I'm willing to code this. Suggestions? Darin, what do you say? Eyvind: I would not like a file because would it would mean adding another file to the distribution and reinventing the wheel to open it, read from it, write it at shutdown, etc. I think a pref is ok; after all, this is pretty advanced stuff.
Attached patch proof of concept patch (obsolete) — Splinter Review
Building on John's idea, here is a patch that uses a pref to store the domains for which all DNS lookups must be for IPv4 addresses. At the moment it only works for one hostname and leaks memory, but the pieces are there. It might also need a restart for the changes to take effect. Comments?
Attachment #139684 - Attachment is obsolete: true
Attachment #139684 - Flags: review?(darin)
Lorenzo, it looks very good. I'm happy it. Regarding your earlier comment. I'm not entirely sure what you meant with files and re-inventing the wheel. You could write to a preference, could you not? (it might be a bad idea, though?) I also think it's very important to have a good defalt preferences. Does anybody have a list? Otherwise even with this patch you will never be able to close this bug... I have found two domains other than doubleclick: (a.) tribalfusion.com (adserver1-images.) backbeatmedia.com
Attached patch patch v1 (obsolete) — Splinter Review
This one fixes the leaks and cleans up the code. It works for me. The name of the pref is network.dns.ipv4OnlyDomains and it is a comma-separated list of domains (actually substrings at the end of the host; it's not a true domain match) for which DNS lookups are for IPv4 addresses only. The pref can be set using about:config, but its default value is already ".doubleclick.net" so you shouldn't need to change it. :)
Attachment #139765 - Attachment is obsolete: true
Assignee: darin → lorenzo
Status: ASSIGNED → NEW
Taking
Status: NEW → ASSIGNED
Attached patch patch v1 with proper directories (obsolete) — Splinter Review
Same patch as before, except it has directories inside it and should actually apply.
Attachment #139857 - Attachment is obsolete: true
Attached patch patch that actually works (obsolete) — Splinter Review
Oops, previous patch wouldn't work. This one should.
Attachment #139861 - Attachment is obsolete: true
Comment on attachment 139867 [details] [diff] [review] patch that actually works I have tested this for a while, and it seems to work. Darin, can you review?
Attachment #139867 - Flags: review?(darin)
i think you need to protect against a race between nsDNSService::Shutdown and nsDNSService::GetAFForLookup. it looks like mIPv4OnlyDomains could be freed while another thread is inside GetAFForLookup. perhaps you need to acquire mLock inside GetAFForLookup before accessing mIPv4OnlyDomains.
Comment on attachment 139867 [details] [diff] [review] patch that actually works Hmm, I hadn't thought of that. Removing review request until I can look into it.
Attachment #139867 - Flags: review?(darin)
*** Bug 53967 has been marked as a duplicate of this bug. ***
I'm not the biggest fan of this proposed solution, but I'm not coming up with a lot of great ideas myself. Do we have an evangelism bug to doubleclick? And, isn't this a problem w/ that is being discussed in the IPv6 community? What about other browsers, how do they handle it? Perhaps it is also worth thinking about bug 96432, because I think many Mac OS X 10.3 users probably do not care about IPv6 right now. As for the list of sites, www.vanguard.com, and etrade.com were mentioned in some of the dupes.
This is definitely being discussed in the IPv6 community. A Google search found http://www.jinmei.org/draft-ietf-dnsop-misbehavior-against-aaaa-00.txt
> Do we have an evangelism bug to doubleclick? Comments in this bug and elsewhere seem to indicate that it is very hard to get in contact with doubleclick on this issue. Of course, if somebody else wants to try, go ahead... > What about other browsers, how do they handle it? Safari tries IPv4 first and IPv6 second. On Windows it's not a very big problem because the tiemouts are shorter. > I think many Mac OS X 10.3 users probably do not care about IPv6 right now. I think this is not the way forward. v6 actually does exist, at least in Europe and Asia if not in the US. Why cripple yourself by disabling v6 if you can work around the problem?
I have a contact at a big customer of DoubleClick which I haven't yet followed up with. If there's a procedure to get a communication as representing mozilla.org instead of as an individual, I'd appreciate someone directing me to it.
Attached patch patch with locking (obsolete) — Splinter Review
This patch turns GetAFForLookup into a critical section. This is sub-optimal, but it shouldn't have any real effect on performance since all GetAFForLookup does is scan through the pref string.
Attachment #139867 - Attachment is obsolete: true
Comment on attachment 140625 [details] [diff] [review] patch with locking Requesting review. Am I using the locks properly? Is more finely grained locking needed?
Attachment #140625 - Flags: review?(darin)
i think this patch should really share the code that lives in nsProtocolProxyService for implementing the "no_proxy_for" pref. that code has support for IP pattern matching as well as domain name matching. i'd really like to utilize that code if possible. i think there is still a race between getting the pref inside the Init method and the function that actually uses the pref. the right thing to do is probably to defer storing the string value until you can get inside the lock. that means, it would need to happen after the |firstTime| block in Init.
the other advantage of the no-proxy-for code is that it support port blocking as well. indeed, it might be the case that you want to use IPv6 only for some ports. i know that it is common for a IPv6 node to run mixed software (e.g., an IMAP server on IPv4 and a HTTP server on IPv6). sound good? if so, it should be fairly trivial to rip the host:port blocking code out of nsProtocolProxyService. we can make a helper class that lives in netwerk/base/src ... maybe call it nsHostPortFilter or something like that.
(In reply to comment #98) > the other advantage of the no-proxy-for code is that it support port blocking as > well. indeed, it might be the case that you want to use IPv6 only for some > ports. The normal failover-on-connect code should handle this. The client DNS lookup code is not an appropriate place to deal with this.
yeah, i agree with you... in fact, i was just about to post a comment similar to what you posted. i think it is probably best to keep this code focused on just blocking domains that are known to not handle DNS requests for AAAA records. so, i'm inclined to go with the current patch, provided we fix the race condition.
Attached patch patch with even more locking (obsolete) — Splinter Review
Ok, now all accesses to mIPv4OnlyDomains are behind mLock. This includes the destructor of nsDNSService, although I'm not sure this is necessary.
Attachment #140625 - Attachment is obsolete: true
Attachment #140625 - Flags: review?(darin) → review-
Attachment #140871 - Flags: review?(darin)
Another one seems to be mii.instacontent.net, as does vanguard.com. etrade.com seems to work though. Darin, have you had a chance to look at this patch yet?
see also bug 231607. it seems that OSX 10.3 does not support IPv6 very well in some cases...
*** Bug 231607 has been marked as a duplicate of this bug. ***
Since duplicate bug 231786 is blocking 1.7b, I could add the capability to disable IPv6 DNS lookups via pref as suggested in bug 231607 comment #18. This would help those with broken DNS servers. This could be done with a network.dns.disableIPv6 boolean pref (default false on all OSs). Darin, what do you think? Can we get this in in time for 1.7b?
*** Bug 232382 has been marked as a duplicate of this bug. ***
Another affected site seems to be allmusic.com: see bug 232382.
Like the previous patch, but adds the ability to turn IPv6 off via a hidden pref (mainly for Mac users with broken caching DNS servers).
Flags: blocking1.7b?
darin, are you ok with this line of patching, or would you prefer to see an entirely different mechanism? We need to get this resolved before beta so it can be tested.
The prefs introduced by this patch seem impossible to maintain. How can we know what domains we need to add to the prefs? How does this list get updated when new broken domains are found, or others are fixed? I'd rather see a patch that globally disables IPv6 lookups.
simon, the last patch (if i'm correct) allows for disabling ipv6 entirely in addition to a blacklist if the user wants ipv6 support enabled. am i mistaken?
*** Bug 230891 has been marked as a duplicate of this bug. ***
*** Bug 231118 has been marked as a duplicate of this bug. ***
OK, sounds fine. I didn't read the patch in sufficient detail.
(In reply to comment #111) > simon, the last patch (if i'm correct) allows for disabling ipv6 entirely in > addition to a blacklist if the user wants ipv6 support enabled. That is correct. The blacklist is meant for advanced users who have IPv6 turned on and know how to maintain the list (and just being able to put .doubleclick.net in the list will do a lot for these users). The other pref is meant mainly for Mac users, because on the Mac you can't turn off IPv6 except in the app, and if you have a broken DNS server you're hosed.
The blacklist is for normal users and is meant to default to a Mozilla-maintained list of the most problematic sites. The configurability of the list is just feature creep. The ability to disable IPv6 lookups is for people with broken local DNS servers which they're unwilling or unable to get fixed.
*** Bug 231607 has been marked as a duplicate of this bug. ***
Attached patch v2 patchSplinter Review
i revised the latest patch slightly. i decided to do this myself instead of posting my review comments in the bug. reason: 1.7 beta freeze is tomorrow, and i don't want this patch to miss the deadline. minor changes include: (1) cleaned up pref handling (2) make Init method enter lock before setting all member variables. this is now necessary since AsyncResolve/Resolve enter the lock twice. (3) revised GetAFForLookup so that we don't need to PromiseFlatCString before calling it. i also made it so that the host value must either exactly match (case insensitive) a domain in the list or it must be prefixed by a dot. i think this is reasonable since it doesn't make sense for foobar.com to match bar.com. Lorenzo: please review these changes, and let me know if you see anything out of wack. thanks!
Attachment #140871 - Attachment is obsolete: true
Attachment #142076 - Attachment is obsolete: true
Attachment #140871 - Flags: review?(darin)
Comment on attachment 143342 [details] [diff] [review] v2 patch Index: modules/libpref/src/init/all.js =================================================================== >+// The following prefs pertain to the negotiate-auth extension (see bug 17578), >+// which provides transparent Kerberos authentication using the SPNEGO protocol. This doesn't look like it belongs here. :) >+// This preference specifies a list of domains for which DNS lookups will be >+// IPv4 only. Works around broken DNS servers which can't handle IPv6 lookups >+// and/or allows the user to disable IPv6 on a per-domain basis. See bug 68796. >+pref("network.dns.ipv4OnlyDomains", ".doubleclick.net"); We also might want to add other domains such as .mii.instacontent.net (common ad servers) or .allmusic.com, (mentioned in dupes), or .bloomberg.com, .lastminute.com, .apc.com, and .apcc.com, .vanguard.com. But how many should we add? I have a list of these, but there's quite a few of them... A couple of questions on strings while I'm at it: >Index: netwerk/dns/src/nsDNSService2.cpp >=================================================================== +>[...] >+ if (NS_SUCCEEDED(rv)) { >+ // now, set all of our member variables while holding the lock >+ nsAutoLock lock(mLock); >+ mResolver = res; >+ mIDN = idn; >+ mIPv4OnlyDomains = ipv4OnlyDomains; // exchanges buffer ownership I assume this also frees the buffer which was previously being used by mIPv4OnlyDomains, right? >[...] >+ nsACString::const_iterator hostStart; >+ host.BeginReading(hostStart); Why do you need this? Is it because you can't call get() on an nsACString? Apart from that, the patch looks fine. I'll be testing it on an IPv6-connected system this evening (european time; = about 7 hours from now), if you want another data point.
Attachment #143342 - Flags: review+
Since IPv6 cannot be turned off on Panther, maybe we should mention this on the release notes? Something like "If you are using mozilla on Mac OS X 10.3, and some sites load very slowly, try turning off IPv6. To do so, enter about:config in the URL bar, scroll down to "network.dns.disableIPv6", right click to modify it and set it to true." Or maybe we should just set this pref to default true on Mac OS...
The Mac OS 10.3 issue with getaddrinfo() would be sufficient reason to turn off IPv6 on that version, just like it's turned off for 10.2.
i planned to turn this off entirely for camino, at least. not sure what m.o wants to do with firefox/seamonkey.
That's a shame. OS X should: (1) disable IPv6 lookups on its own if IPv6 is not turned on, (2) honour API flags like AI_ADDRCONFIG to do so at the application's request or, at least, (3) allow the user to turn IPv6 off It can't be so hard if both Windows and Linux do it. What's the point of including IPv6 support and even GUI configuration for IPv6 if such problems mean the apps have to ship with IPv6 disabled? Oh well...
Has anyone filed bugs with Apple? bugreporter.apple.com.
> (From update of attachment 143342 [details] [diff] [review]) > >+// which provides transparent Kerberos authentication using the SPNEGO > This doesn't look like it belongs here. :) whoops.. yes, i forgot to strip that out of the patch. > >+// This preference specifies a list of domains for which DNS lookups will be > >+// IPv4 only. Works around broken DNS servers which can't handle IPv6 lookups > >+// and/or allows the user to disable IPv6 on a per-domain basis. See bug 68796. > >+pref("network.dns.ipv4OnlyDomains", ".doubleclick.net"); > > We also might want to add other domains such as .mii.instacontent.net (common > ad servers) or .allmusic.com, (mentioned in dupes), or .bloomberg.com, > .lastminute.com, .apc.com, and .apcc.com, .vanguard.com. But how many should we > add? I have a list of these, but there's quite a few of them... yeah, i don't know how best to deal with this either. we should probably include some of these in the default prefs, but doing so is somewhat non-ideal since over time those sites might correct their DNS servers. meanwhile, mozilla will continue to block IPv6 queries to those sites. i think blacklists like this don't scale well over time, but it's not like i have a better solution in mind. pinkerton said he wants to disable IPv6 queries by default for Camino. his point is that users that need IPv6 can go and enable it. that seems like a reasonable thing. we just need a good blurb in the release notes about this stuff. > >+ mIPv4OnlyDomains = ipv4OnlyDomains; // exchanges buffer ownership > > I assume this also frees the buffer which was previously being used by > mIPv4OnlyDomains, right? right. this exchange of buffers is a property of nsAdoptingString. normally strings don't behave this way. they copy on assign, leaving both strings with the same "value". here i'm just exploiting nsAdoptingString to avoid a buffer copy. > >+ nsACString::const_iterator hostStart; > >+ host.BeginReading(hostStart); > > Why do you need this? Is it because you can't call get() on an nsACString? yes, exactly. nsAC?String represents an array of characters that is not necessarily null-terminated. as a result, there is no .get() method b/c that method is intended to return a pointer to a null-terminated array. so, we use BeginReading to get the starting iterator, and from that we get the pointer to the start of the buffer. the string API is only a "little" overkill ;-)
patch checked in for 1.7 beta. lorenzo: if you want to generate a subsequent patch to block specific domains, please do. this patch gives us the machinery to fix this bug, but we still need to configure the builds to solve this bug.
As regards disabling IPv6, I think we should leave IPv6 enabled by default for Windows and Linux builds, since on both systems IPv6 name lookups are tried only if the user explicitly turns on IPv6. The Mac case is a tougher call for an IPv6 evangelist like me, but I can understand if people want to disable IPv6 by default on OS X. :-) This can be done by wrapping a pref("network.dns.disableIPv6", true) inside #ifdef XP_MACOSX in all.js; I don't know who should make this call though. Regarding IPv4OnlyDomains, I think a blacklist is the best we can do. Remember that this is for people who have turned IPv6 on themselves, either at the OS level on Linux and Windows or by using about:config on OS X. Maybe we could put it in the release notes and then target the most common problems, like ad servers and high profile sites. If new bugs are filed, the blacklist can be expanded, and it can be periodically checked thanks to this script by David Malone which automates the necessary tests: http://www.cnri.dit.ie/cgi-bin/check_aaaa.pl
Attached patch turn off IPv6 by default on Mac (obsolete) — Splinter Review
This disables IPv6 by default on Mac. :( To re-enable, use about:config to change network.dns.disableIPv6 to true.
Same as previous patch, but the comment is a bit clearer.
Attachment #143439 - Attachment is obsolete: true
Attachment #143443 - Flags: review?(darin)
Attachment #143443 - Flags: review?(darin) → review+
Target Milestone: --- → mozilla1.7beta
over AIM: > chrishofmann: ok. go ahead. asa also notes that it was one of the top problems > in mac firefox 0.8 checked in latest patch to all.js (attachment 143443 [details] [diff] [review]) marking FIXED lorenzo: can you see about adding a release note? i hear that asa will be handling the release notes for 1.7.
Status: ASSIGNED → RESOLVED
Closed: 21 years ago21 years ago
Resolution: --- → FIXED
Comment on attachment 143478 [details] [diff] [review] Fix missing " r+sr=darin thanks neil for catching that! we should get this patch in right away.
Attachment #143478 - Flags: superreview+
Attachment #143478 - Flags: review+
ok, i see that neil has already taken care of it: > revision 3.507 > date: 2004/03/10 15:20:54; author: neil%parkwaycc.co.uk; state: Exp; lines: +1 -1 > Fix missing quote rs=glazou a=mkaply patch in bug 68796 thanks neil!
Flags: blocking1.7b?
*** Bug 245174 has been marked as a duplicate of this bug. ***
*** Bug 244176 has been marked as a duplicate of this bug. ***
The problem in bug 244176 remains. I cannot get to the New York Times web site using the preference in Mozilla to turn off IPv6. I need to turn it off completely through modprobe.conf. Yet Opera and Lynx do not have this problem. I really think that there is more to do here. I don't understand all the discussion in this bug, but I think it seems to ignore the real problem that still exists on Linux.
(In reply to comment #136) > The problem in bug 244176 remains. I cannot get to the New York Times > web site using the preference in Mozilla to turn off IPv6. That's bug 245174, and not bug 244176 which is OpenBSD-only. Please don't spam this bug, discussion should continue there.
Now that http://www.cnri.dit.ie/cgi-bin/check_aaaa.pl?dom=doubleclick.net appears to give our single blacklisted domain a clean bill of health, should we remove it from the list? It would keep us from having to explain why the evil, baby-soul-destroying incantation "doubleclick.net" is in our all.js.
Doubleclick is still broken. Don't query for doubleclick.net, rather for ad.doubleclick.net: http://www.cnri.dit.ie/cgi-bin/check_aaaa.pl?dom=ad.doubleclick.net
Blocks: 377383
Depends on: 377395
today, that link says that all looks good even with ad.doubleclick.net . Can it be removed from the list now?
(In reply to comment #140) > today, that link says that all looks good even with ad.doubleclick.net . Can > it be removed from the list now? > That was done in bug 377395
I just wanted to inform you that I needed to manually toggle "network.dns.disableIPv6" in "about:config" to "true" in order to get websites to work, i.e. load completely (for example o2online.de, payback.de, somany.de, ...). Firefox 18.0.1 @ Windows XP SP3: Mozilla/5.0 (Windows NT 5.1; rv:18.0) Gecko/20100101 Firefox/18.0
(In reply to Elomir from comment #142) > (for example o2online.de, payback.de, somany.de, ...). WORKSFORME. Perhaps you have a local networking problem. Try test-ipv6.com.
(In reply to John G. Myers from comment #143) > (In reply to Elomir from comment #142) > > (for example o2online.de, payback.de, somany.de, ...). > > WORKSFORME. Perhaps you have a local networking problem. Try test-ipv6.com. Yes, no ipv6 here yet (0/10): > No IPv6 address detected [more info] > > It seems as if you had only an IPv4-enabled Internet connection. > You will not be able to reach websites which are available via IPv6. > > Your DNS server (probably run by your ISP) seems either to have no IPv6 > Internet access, or is not configured to use it. In the future, this could > restrict accessibility of Web content, which is only accessible via IPv6. > [more info]
Blocks: 1673856
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: