Community.cloudflare.com not accessible from IPv6-only network because discourse-cdn.com has broken AAAA records

Hi everybody,

Technical background:

An IPv6-only network normally has NAT64 and DNS64 for access to IPv4-only websites. DNS64 returns synthesised AAAA records for any domain which does not have one. This involves an IPv6 prefix (usually 64:ff9b::/96) and packing the bits of the IPv4 address into the last 32-bits of the IPv6 address, for example it can be written as 64:ff9b::1.1.1.1 or 64:ff9b::101:101 to access IPv4 address 1.1.1.1 on an IPv6-only network, assuming the NAT64 prefix is 64:ff9b::/96. The network routes packets with this prefix to a NAT64 gateway, which has native IPv4 access, which turns the IPv6 packets into IPv4 packets and transmits them on the IPv4 internet. It reverse-translates returning IPv4 packets into IPv6 and transmits them back to the originating device on the IPv6-only network. It creates the illusion that every domain has an AAAA record and is accessible via IPv6.

The issue is if a domain publishes a broken AAAA record (if IPv6 goes down on their server, for example). There will be no synthesised AAAA record for that domain, because a real AAAA record has been published. It means that IPv6-only networks cannot “fall back” to IPv4. The only way fall-back can work on an IPv6-only network is if the device is running a CLAT as part of 464XLAT.

The problem for community[dot]cloudflare[dot]com:

It appears that sjc4[dot]discourse-cdn[dot]com and aws1[dot]discourse-cdn[dot]com have these issues (they each have AAAA record, but are not reachable via their respective AAAA records), and are required for community.cloudflare.com to load. I have had to get on an IPv4 / dual-stack network just to make an account to post this. Can Cloudflare please contact the domain owners to sort this out? It means any device on an IPv6-only network (common for 4G mobile deployments) without 464XLAT will not be able to load community[dot]cloudflare[dot]com.

Reproduce the problem for yourself:

Anybody with IPv6 internet can easily try it, grab a DNS64 server address from nat64[dot]net and use their public NAT64 implementation. Override your IPv6 DNS Server on your internet network interface to the address you obtained, and disable IPv4 on that same interface. You should be able to access IPv4 and IPv6 websites, but community.cloudflare.com will only load to a blank white screen. You can go into developer tools of the browser and see the connections which are failing. If you own a Mac, here are directions for using it to create a NAT64 test network (intended for developers to be able to check if their apps work behind NAT64 gateway): developer[dot]apple[dot]com/forums/thread/4971

Thanks to anybody willing to take me seriously. :slight_smile:

1 Like

Hey, are you not able to reach the returned IPs in the AAAA response? Is it not reachable at all or not responsive over HTTPS? Can you post a traceroute6 2a0b:4d07:2::1 ?

2 Likes

tracert 2a0b:4d07:2::1

Tracing route to 2a0b:4d07:2::1 over a maximum of 30 hops

1 1 ms <1 ms <1 ms [my router IPv6 addr]
2 6 ms 6 ms 6 ms 2407:8800:a000::1a9
3 6 ms 6 ms * 2407:8800:bf00:af:b226:80ff:fe6c:7c0a
4 61 ms 60 ms 61 ms 2407:8800:bf00:26::1
5 * * * Request timed out.
6 199 ms 201 ms 199 ms las-b24-link[dot]telia[dot]net [2001:2000:3080:548::1]
7 204 ms 205 ms 204 ms las-b4-v6[dot]telia[dot]net [2001:2000:3018:a2::1]
8 * * * Request timed out.
9 244 ms 199 ms * 2a0b:4d07:2::1
10 199 ms 199 ms * 2a0b:4d07:2::1
11 199 ms 200 ms * 2a0b:4d07:2::1
12 199 ms 199 ms * 2a0b:4d07:2::1
13 199 ms 199 ms * 2a0b:4d07:2::1
14 199 ms 199 ms * 2a0b:4d07:2::1
15 199 ms 199 ms * 2a0b:4d07:2::1
16 199 ms 199 ms * 2a0b:4d07:2::1
17 200 ms 199 ms * 2a0b:4d07:2::1
18 199 ms 199 ms * 2a0b:4d07:2::1
19 199 ms 200 ms * 2a0b:4d07:2::1
20 199 ms 199 ms * 2a0b:4d07:2::1
21 199 ms 199 ms * 2a0b:4d07:2::1
22 199 ms 199 ms * 2a0b:4d07:2::1
23 199 ms 199 ms * 2a0b:4d07:2::1
24 199 ms 199 ms * 2a0b:4d07:2::1
25 199 ms 200 ms * 2a0b:4d07:2::1
26 199 ms 199 ms * 2a0b:4d07:2::1
27 199 ms * 199 ms 2a0b:4d07:2::1

Trace complete.

ping 2a0b:4d07:2::1

Pinging 2a0b:4d07:2::1 with 32 bytes of data:
Reply from 2a0b:4d07:2::1: time=199ms
Reply from 2a0b:4d07:2::1: time=199ms

curl [2a0b:4d07:2::1]

[Prints out some HTML]

curl aws1[dot]discourse-cdn[dot]com

[Hangs indefinitely]

curl https://aws1[dot]discourse-cdn[dot]com

[Hangs indefinitely]

Did you mean 2a0b:4d07:4::1? aws1[dot]discourse-cdn[dot]com and sjc4[dot]discourse-cdn[dot]com resolve to this, not 2a0b:4d07:2::1. Or is this GeoDNS resolving differently based on geographic location?

nslookup aws1[dot]discourse-cdn[dot]com
Server: UnKnown
Address: fe80::

Non-authoritative answer:
Name: a-au00[dot]kxcdn[dot]com
Addresses: 2a0b:4d07:4::1
68.70.207.1
Aliases: aws1[dot]discourse-cdn[dot]com
aws1cdn-456a[dot]kxcdn[dot]com

nslookup sjc4[dot]discourse-cdn[dot]com
Server: UnKnown
Address: fe80::

Non-authoritative answer:
Name: a-au00[dot]kxcdn[dot]com
Addresses: 2a0b:4d07:4::1
68.70.207.1
Aliases: sjc4[dot]discourse-cdn[dot]com
sjc4cdn-456a[dot]kxcdn[dot]com

tracert 2a0b:4d07:4::1

Tracing route to 2a0b:4d07:4::1 over a maximum of 30 hops

1 1 ms 1 ms 1 ms [my router IPv6 addr]
2 6 ms 6 ms 6 ms 2407:8800:a000::1a9
3 * 6 ms 6 ms 2407:8800:bf00:ae:b226:80ff:fe6c:341
4 7 ms 6 ms 6 ms 2407:8800:bf00:7::2
5 6 ms 6 ms 7 ms 2407:8800:bf00:5:2bc:60ff:fe1d:d4de
6 8 ms 7 ms 9 ms as4826[dot]wa[dot]ix[dot]asn[dot]au [2001:7fa:11::12da:0:1]
7 52 ms 52 ms 52 ms 2402:7800:40:1::a5
8 * * * Request timed out.
9 * * * Request timed out.
10 52 ms 52 ms 53 ms fintel-bdr[dot]vocus[dot]net[dot]au [2402:7800::5]
11 53 ms 54 ms 54 ms 2402:7800:0:1::5e
12 203 ms 203 ms 203 ms 2402:7800:0:2::35a
13 203 ms 202 ms 202 ms as133480[dot]syd[dot]edgeix[dot]net[dot]au [2001:df0:680:5::2c]
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.

Trace complete.

ping 2a0b:4d07:4::1 times out, no response

Is there a way to request they stop limiting me to two links per post? Cloudflare should know that on a Cloudflare forum, there will be plenty of legitimate need to post domain names which appear as links. I should not have to edit my tracert output to post it. Plus I signed up and went to this effort for Cloudflare and the good of the internet, not for me.

Hi, it looks like aws1.discourse-cdn.com steers you to a node in Sydney (a-au00.kxcdn.com). It doesn’t load for me either, so that seems like a problem:

$ curl -6 https://a-au00.kxcdn.com -v
*   Trying 2a0b:4d07:4::1:443...

I’ll try to see if we can open a ticket with Discourse.