- Newest
- Most votes
- Most comments
The issue you're experiencing appears to be related to DNS resolution in an IPv6 environment. Since the problem resolves when you switch to IPv4 or manually set an IPv6 DNS server, it suggests that the default DNS configuration in your IPv6 setup is not working correctly.
To solve this in IPv6, you can try the following approaches:
-
Enable DNS64 in your subnet: DNS64 is a mechanism that allows IPv6-only clients to reach IPv4-only servers. In your EC2 instance's subnet settings, look for an option called "enableDns64" and ensure it's set to true. This will allow the Amazon-provided DNS Resolver to return synthetic IPv6 addresses for IPv4-only destinations.
-
Configure a persistent IPv6 DNS server: Instead of manually editing /etc/resolv.conf (which gets overwritten), you should configure your system to use a reliable IPv6 DNS server persistently. You can do this by modifying your network configuration files or using network management tools specific to your operating system.
-
Check Route 53 Resolver settings: If you're using Amazon Route 53, ensure that it's configured to handle both IPv4 and IPv6 DNS queries. Route 53 supports both address types for creating records and health checks.
-
Verify security group and network ACL settings: Ensure that your EC2 instance's security group and the subnet's network ACL allow outbound DNS traffic (usually on port 53) for both TCP and UDP protocols over IPv6.
-
Use Route 53 Resolver DNS Firewall: If you're still experiencing issues, you might want to implement Route 53 Resolver DNS Firewall. This feature allows you to create domain lists and build firewall rules that filter outbound DNS traffic, which could help in troubleshooting and resolving DNS-related issues.
By implementing these solutions, you should be able to resolve the DNS query failures in your IPv6 environment and get your Cloudflare zero trust tunnel working correctly.
Sources
Amazon Route 53 features - Amazon Web Services
Amazon Route 53 concepts - Amazon Route 53
Subnet - Amazon Elastic Compute Cloud
1 DNS64 has been enabled in subnet
2 /etc/resolv.conf DNS is default value 127.0.0.53
3 DHCP option sets is default, Domain name servers: AmazonProvidedDNS
4 Outbound rules of Security group and Network ACL, All traffic, 0.0.0.0/0, Allow. ::/0, Allow.
nslookup msn.com
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: msn.com
Address: 204.79.197.219
Name: msn.com
Address: 64:ff9b::cc4f:c5db
nslookup argotunnel.com
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
*** Can't find argotunnel.com: No answer
It seems it is still not good.
Relevant content
- asked 4 years ago
- asked 3 years ago
- asked 14 days ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago