By using AWS re:Post, you agree to the AWS re:Post Terms of Use

DNS query failed argotunnel in IPv6

0

I run Cloudflare zero trust tunnel in AWS and EC instance is in IPv6 and assign IPv6 public IP.
Error occurs DNS query failed lookup "argotunnel.com" when program started.

But, everything will be OK when:
1. EC instance Ipv6 change to IPv4 and assign Public IPv4 IP, or
2. Manual edit /etc/resolv.conf set DNS=2606:4700:4700::1111 (This file will be automatically restored to 127.0.0.53 after a while)

How can it be solved in IPv6? Thanks for any help.

Logs:
ERR edge discovery: error looking up Cloudflare edge IPs: the DNS query failed error="lookup argotunnel.com on 127.0.0.53:53: cannot unmarshal DNS message" event=0 ......
INF Tunnel server stopped
ERR Initiating shutdown error="Could not lookup srv records on _v2-origintunneld._tcp.argotunnel.com: lookup argotunnel.com on 127.0.0.53:53: cannot unmarshal DNS message"

nslookup argotunnel.com
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
*** Can't find argotunnel.com: No answer

2 Answers
0

The issue you're experiencing appears to be related to DNS resolution in an IPv6 environment. Since the problem resolves when you switch to IPv4 or manually set an IPv6 DNS server, it suggests that the default DNS configuration in your IPv6 setup is not working correctly.

To solve this in IPv6, you can try the following approaches:

  1. Enable DNS64 in your subnet: DNS64 is a mechanism that allows IPv6-only clients to reach IPv4-only servers. In your EC2 instance's subnet settings, look for an option called "enableDns64" and ensure it's set to true. This will allow the Amazon-provided DNS Resolver to return synthetic IPv6 addresses for IPv4-only destinations.

  2. Configure a persistent IPv6 DNS server: Instead of manually editing /etc/resolv.conf (which gets overwritten), you should configure your system to use a reliable IPv6 DNS server persistently. You can do this by modifying your network configuration files or using network management tools specific to your operating system.

  3. Check Route 53 Resolver settings: If you're using Amazon Route 53, ensure that it's configured to handle both IPv4 and IPv6 DNS queries. Route 53 supports both address types for creating records and health checks.

  4. Verify security group and network ACL settings: Ensure that your EC2 instance's security group and the subnet's network ACL allow outbound DNS traffic (usually on port 53) for both TCP and UDP protocols over IPv6.

  5. Use Route 53 Resolver DNS Firewall: If you're still experiencing issues, you might want to implement Route 53 Resolver DNS Firewall. This feature allows you to create domain lists and build firewall rules that filter outbound DNS traffic, which could help in troubleshooting and resolving DNS-related issues.

By implementing these solutions, you should be able to resolve the DNS query failures in your IPv6 environment and get your Cloudflare zero trust tunnel working correctly.
Sources
Amazon Route 53 features - Amazon Web Services
Amazon Route 53 concepts - Amazon Route 53
Subnet - Amazon Elastic Compute Cloud

profile picture
answered a month ago
0

1 DNS64 has been enabled in subnet
2 /etc/resolv.conf DNS is default value 127.0.0.53
3 DHCP option sets is default, Domain name servers: AmazonProvidedDNS
4 Outbound rules of Security group and Network ACL, All traffic, 0.0.0.0/0, Allow. ::/0, Allow.

nslookup msn.com
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: msn.com
Address: 204.79.197.219
Name: msn.com
Address: 64:ff9b::cc4f:c5db

nslookup argotunnel.com
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
*** Can't find argotunnel.com: No answer

It seems it is still not good.

answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions