Category Archives: ipv6

how to create ipv6 reverse DNS entry

Lets begin with what all we will be covering in this blog post.
We will be covering a lil bit of what is a reverse DNS entry and why do we need it.
We will then cover how to create a reverse DNS entry for two types of ipv6 entries:

    1. A 6to4 ipv6 ip using our own dns server and a 6to4 nro delegation
    2. A tunnel broker ipv6 entry using dns provided by he.net

The reverse DNS look up helps to resolve an ip into the respective host name. It is, like the name says, “reverse” of what the DNS normally do.

DNS is used to convert a human readable name like “hackalyst.info” into its corresponding ip.


host hackalyst.info
hackalyst.info has address 50.57.67.195

reverse DNS entry helps to resolve the ip into a hostname.

$ host 50.57.67.195
195.67.57.50.in-addr.arpa domain name pointer hackalyst.info.

Now, why is reverse DNS required?

One of the reasons nicely explained at godaddy is to fight spam.

Other than that, its always cool to have your ip map to your domain name ;)

There are two ways of creating a reverse DNS entry for ipv6.
1) You can create your own DNS server, point your domain name provider to point to your additional DNS.
2) You can use a free dns service provided by dns.he.net

Lets first go through the first option which is slightly lengthier and more DYI and CLI friendly :P

The wikipedia entry on 6to4 pointed my towards 6to4.nro.net that can be used to create a revese DNS PTR for a 6to4 ip, i.e, an ipv6 starting with 2002:.

The 6to4.nro.net needs dns servers with zone for this reverse delegation. None of the dns servers I host with (domaincontrol.com through godaddy, stabletransit.com via rackspace and he.net) were accepted in 6to4 form. So I decided to setup my own DNS server.

First I setup the DNS name for my DNS (yeah, thats required!) at my existing dns provider.
I am setting up my dns on my own server, hence can simply create sub domains (I used dns1 and dns2 instead of traditional ns1 and ns2) pointing to my own domain. You can create such subdomains pointed to the actual hosts where you will be setting up your DNS. You can set it up on one host or on multiple hosts.

I setup my own DNS server using instructions from devshed forums. Its pretty old but still works.

At the end of configurating the dns server, I initially got an error saying:

_default/67.57.50.in-addr.arpa/IN: file not found

That was because the file name in the config and my actual file name were not the same. After I fixed this issue, still named would refuse to start without throwing any erorrs.

An inspection of /var/log/messages said something about unable to write to the log file.

Jun 24 11:58:22 deltacore named[31254]: the working directory is not writable
Jun 24 11:58:22 deltacore named[31254]: isc_stdio_open 'query.log' failed: permission denied
Jun 24 11:58:22 deltacore named[31254]: configuring logging: permission denied
Jun 24 11:58:22 deltacore named[31254]: loading configuration: permission denied

The way to fix was to change the ownership of the /var/named folder and /etc/named to named :)


#chown -R named:named /var/named /etc/named.conf

And then all was fine :)

After setting the above DNS server, I needed to add the PTR info for my ipv6.
I found http://www.fpsn.net/index.cgi?pg=tools&tool=ipv6-inaddr via searching and headed over to create my reverse PTR configuration for my own DNS.

In the form:
Record type : select ip6.arpa (new standard)
Assigned IPv6 Block: (your ipv6 block)
Admin email:
DNS Server: (DNS Created above)
Secondary server (DNS Created above)

Then it gives the configuration file which you can add to your named.conf and create the reverse zone file.
Like it says at the end of generated reverse zone file, you need to add the AAAA entry in your respective zone file.

After this, it was just playing around to add “my” DNS servers to my “Domain” NS entries with my service provider.
My primary DNS provider is godaddy. I just added my own DNS entries into the NS entry of my domain.

If you do not want to create your own DNS server (or cannot due to resource crunch), you can use freely available DNS servers from he.net.

For this second purpose, I am going to use both the 6to4 ip above tied with your domain and another ipv6 obtained through tunnelbroker.

DNS provided by he.net can be used for managing your domains and these are pretty good in terms of usability.
Add your domain to your dns.he.net account, create your A,AAAA and other entries.

For creating your reverse DNS entry, you need to create the PTR record. Its available under “Additional” menu in dns.he.net.
For finding out the value of your ipv6 PTR, head over to http://rdns6.com/ and enter your v6 ip. The nibble value is what basically goes into your PTR record. In dns.he.net, the above nibble would be added as Name in PTR entry and your domain name in the Hostname.

If you are using a tunnel broker ipv6, you can login to the dns.he.net using same credentials as your tunnelbroker and it would import and delegate the ipv6 provided to you to the he.net nameservers. (I might be wrong here as I ve been using dns.he.net for quite some time and do not remember the initial steps I took).

Once you ve assigned dns names to your ipv6 ips, you can go and assign those ips and respective domain in the dns.he.net. This creates the PTR record for those ipv6 pointing to your domain.

at the end of the day, this is what should be the result of a perfectly working PTR record.

$ host hackalyst.info
hackalyst.info has address 50.57.67.195
hackalyst.info has IPv6 address 2002:3239:43c3::1

$ host 2002:3239:43c3::1
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.c.3.4.9.3.2.3.2.0.0.2.ip6.arpa domain name pointer hackalyst.info.

$ host hackalyst.homeunix.org
hackalyst.homeunix.org has address 106.51.119.133
hackalyst.homeunix.org has IPv6 address 2001:470:5:869:21e:c9ff:fe03:803b

$ host 2001:470:5:869:21e:c9ff:fe03:803b
b.3.0.8.3.0.e.f.f.f.9.c.e.1.2.0.9.6.8.0.5.0.0.0.0.7.4.0.1.0.0.2.ip6.arpa domain name pointer hackalyst.homeunix.org.

So now you know how to create reverse DNS entry aka PTR for your ipv6 :)

cheers!

Google/Youtube’s ISP specific cache/tieups ?

hi,

Today we are going to discuss possible google tieups with local ISP’s to create caching layers in order to deliver better experience to high bandwidth customers.

I stumbled upon the same while browsing one of google’s pages which had an embedded youtube video. Initially it was very slow and I was quite surprised since I am on a 10mbps bandwidth connection and am usually able to stream even HD videos on youtube without any buffering delays. Then I realised that most probably I was going over the ipv6 network (and hence tunneling all the way to US and not getting local content) and hence the delay. I fired my wireshark and indeed I was going over the ipv6 network. I mulled over disabling the ipv6 in router and keeping it only in my dev box when I realised that I can simply disable ipv6 browsing in my firefox :).

about:config -> network.dns.disableIPv6;true

And am done :)

After doing the above, I reloaded the earlier page with firebug enabled. The embedded video was now playing smoothly without any buffering delays. And then all of a sudden I saw this in the firebug network panel:

o-o.preferred.actbroadband-blr1.v3.lscache3.c.youtube.com

wait what?!
So google has a cache specifically for my ISP?! (I use ACT broadband).
Now that my curiosity was pipped, I decided to do a lil more digging.

[anshup@mouthwa ~]$ host o-o.preferred.actbroadband-blr1.v3.lscache3.c.youtube.com
o-o.preferred.actbroadband-blr1.v3.lscache3.c.youtube.com has address 202.83.22.14
o-o.preferred.actbroadband-blr1.v3.lscache3.c.youtube.com has IPv6 address 2404:6800:4007:2::e

Oh, so they ve also ipv6 enabled it, nice.

whois 202.83.22.14

descr: BroadBand Internet Service Provider, India
..
address: ACT Television
address: # 29/4, 4th Floor, Trade Center,
address: Race Course Road, Bangalore - 560 001

[anshup@mouthwa ~]$ whois 2404:6800:4007:2::e

inet6num: 2404:6800::/32
netname: GOOGLE_IPV6_AP-20080930
descr: Google IPv6 address block in AP
country: AU

Ah, so while the ipv4 cache was coming from my local ISP, the ipv6 cache was coming all the way from australia? So even though google might ve teamed up and linked a deal with local broadband providers, it still is some miles away in getting ipv6 cache to India? Or possibly because am on an ipv6 tunnel rather, it ended up using my tunnel endpoint as the preferred location rather than my original location.

The more interesting part is that Google has apparently created up local caches at ISP ends to help give better speed to the end user. I need to check it up on some other ISP s here in bangalore and then will update the results here.

cheers

how to get ipv6 connection in India

It is possible to get ipv6 connection in India using tunneling (ipv6 over ipv4). There are multiple providers, but he.net is one of the simplest ones to use and setup. And its for free! You can set upto 5 tunnels with every free account. You’ll mostly need one or two maximum as each tunnel needs a valid ipv4 ip on your end.

To set a free tunnel, head over to the tunnel broker site of he.net.

Register a new account. After successful registration (and confirmation), login, click on “create a regular tunnel” under user functions, provide your ipv4 address and voila (usually its the same as “You are vieweing from” that is shown under the text box for “IPv4 endpoint (your side)” and you are ready to go!

If you want to use google services over ipv6, I suggest you use one of the US endpoints of the tunnel, as it looks like google has whitelisted the US endpoints. The Asian endpoints dont ve access to google and facebook over ipv6.

Once you ve created your tunnel, you need to setup your system. I ve tried it on linux, mac and airport extreme. The example configuration showed in the tunnel page (once created) works pretty well for all that I tried. Most of them need you to copy paste the commands given in a command line terminal.

Once you are done with all the above, comes the most important part. Adding the DNS! Even if you ve a fully functional tunnel, you wont be able to browse or use it unless you ve the DNS configured for ipv6.

In your version of OS, configure the DNS for he.net

2001:470:1f06:b8c::2

Check it up online how to configure a nameserver/dns for your OS.

If you ve a airtel connection, or other ISPs which result in you ving different ips, no worries. You can update your tunnel endpoint (i.e, your ip) in the tunnel configuration easily. Either using the web UI by logging into the tunnelbroker.net site, or using APIs available at http://ipv4.tunnelbroker.net/ipv4_end.php

Usage: https://ipv4.tunnelbroker.net/ipv4_end.php?ip=IPV4ADDR&pass=MD5PASS&apikey=USERID&tid=TUNNELID
-or-: https://USERNAME:PASSWORD@ipv4.tunnelbroker.net/ipv4_end.php?tid=TUNNELID (auto-detect IP)

https://USERNAME:PASSWORD@ipv4.tunnelbroker.net/ipv4_end.php?tid=TUNNELID&ip=IPV4ADDR

Let me know if you need more help with setting up your ipv6 tunnel!

My home network and my blog both are now on ipv6, thanks to the tunnels provided by he.net!

how to add AAAA record (or ipv6 record) to your rackspace dns

UPDATE: Don’t bother setting it up if you are only using the rackspace cloud server. Their DNS doesn’t support ipv6 yet and apparently won’t propagate the AAAA records yet :! Thats kinda funny since they do have load balancer services on ipv6 now. Waiting on some response/confirmation from Waz mentioned in the post. I ve moved my DNS back to my domain registrator, GoDaddy.

I was earlier hosting with slicehost and their dns was a smooth drive when it came to adding any DNS entries.

I then moved to their parent company rackspace as they had cheaper plans. Slicehost was slated to move to same plans but some time down the year.

Anyways, after I moved to rackspace, I decided to add the IPv6 domain back to my server. In slicehost it was pretty simple, but in rackspace, oh no!

The rackspace DNS is still in primitive era. Recently they have announced overhaul of their entire DNS but its yet stuck in the last mile deliverable, i.e, a working GUI.

Add to that, their “beta” API docs (I didn’t know for a while what’s in beta, the API or the docs :P ).

Anyways, my first attempt to use the GUI was faced with continuous failure :!

rackspaceAAAAfailure

After a quick chat with their customer care, I was pointed to their DNS API. Apparently AAAA support is not in GUI yet.

Ok, now lets give it a try.

Documentation is always a pain, but I guess when your moolah depends upon that, it should be better. Now I am usually pretty good at RTFM, but this time it was simply not happening. Rackspace needs to spruce up that documentation a lot!

Anyways, now that we are done with a rather length prelude to the actual subject, lets get on the real topic. How to add a AAAA
record to your rackspace in case the GUI is failing.

First, you’ll need a firefox plugin called restclient. That’s cause the return error messages from rackspace are quite uninformative and it becomes difficult to change your curl command or php script based on a vague 403 or a 500.

First step:

Get your rackspace API Key.
For this, you first need to login to your rackspace account and get the API key. Its located under “Your account” section

Click on Show Key to show your key. Or you can generate a new API key on that page using Generate new key.

Second step:
Get an authetication token.
Now getting the API key is half the part of getting your authentication token. Your API key is not your authentication token.
You use the API key to generate your Authentication token using the rackspace REST webservices.

The Rackspace authentication webservices accepts the parameters using headers only. And sends the output also in headers.

Before we get the token, you need to findout if you are a US user or a UK user :!

quoting the API doc

To access the Authentication Service, you must know whether your account is US-based or UK-based:

US-based accounts authenticate through https://auth.api.rackspacecloud.com/v1.0.

UK-based accounts authenticate through https://lon.auth.api.rackspacecloud.com/v1.0.

Your account may be based in either the US or the UK; this is not determined by your physical location but by the location of the Rackspace retail site which was used to create your account:

If your account was created via http://www.rackspacecloud.com, it is a US-based account.

If your account was created via http:/www.rackspace.co.uk, it is a UK-based account.

Once you ve found your endpoint, (mine is US), you can start to get your Auth token.

A simple way for those familiar with command line is to use curl:

curl -I -H 'X-Auth-User:yourRackspaceLogin' -H 'X-Auth-Key:YOUR-API-KEY-HERE' 'https://auth.api.rackspacecloud.com/v1.0'

If you are a UK customer, the respective DNS API endpoint for UK is:

https://lon.dns.api.rackspacecloud.com/v1.0/


Or for those not aware of it, you can use the firefox plugin we installed earlier.

Open the plugin from the tools menu under firefox. I am on mac. So choose the respective menu for your platform.

Select the RestClient.

Select GET method. Put the url as your endpoint that you found above. Click on Add Header

Name – X-Auth-User
Value – yourRackspaceLogin

Add another header
Name – X-Auth-Key
Value – YOUR-API-KEY

After adding these two header, hit send, and if all goes fine, you should get a green (204) response.

A http 204 response means that the server successfully processed the request, but is not returning any content. Like I said earlier, this part of transaction, i.e, getting the auth token is done entirely using headers only.

The output for curl method would be something like this:

HTTP/1.1 204 No Content
Server: Apache/2.2.13 (Red Hat)
vary: X-Auth-Token,X-Auth-Key,X-Storage-User,X-Storage-Pass
X-Storage-Url: https://storage101.ord1.clouddrive.com/v1/MossoCloudFS_s0m34rb17v4lu3
Cache-Control: s-maxage=17404
Content-Type: text/xml
Date: Sun, 25 Sep 2011 04:14:17 GMT
X-Auth-Token: THIS-IS-YOUR-AUTH-TOKEN
X-Server-Management-Url: https://servers.api.rackspacecloud.com/v1.0/588177
X-Storage-Token: THIS-IS-YOUR-AUTH-TOKEN
Connection: Keep-Alive
X-CDN-Management-Url: https://cdn2.clouddrive.com/v1/MossoCloudFS_s0m34rb17v4lu3

The value for both X-Auth-Token and X-Storage-Token are same, so nothing to worry about about duplicates.

Notice the “588177″ in the X-Server-Managerment-Url above. Make a note of your corresponding value. This is your server id that you’ll need in further DNS API calls as well. We will call it YOUR_SERVER_ID for the purpose of rest of this blog.

Third Step:
Get the Domain ID

Now we need to get the Domain ID of your domain tied to your server. I had two domains listed with my server. You can have one or multiple such domains listed with your server.

The curl command would be:

curl -H 'X-Auth-Token:YOUR-AUTH-TOKEN' 'https://dns.api.rackspacecloud.com/v1.0/YOUR_SERVER_ID/domains/'

Output is something like:

{"domains":[{"name":"anshprat.info","id":2791520,"accountId":588177,"updated":"2011-05-17T13:14:33.000+0000",
"created":"2011-05-17T13:08:13.000+0000"},{"name":"hackalyst.info","id":2791406,"accountId":588177,"updated":"2011-09-24T14:57:39.000+0000",
"created":"2011-05-17T10:10:57.000+0000"}],"totalEntries":2}

You can do the same using the RestClient. Find the url in the curl command above , and change the header to that under -H.

The “id” part in the output is the one that we need. We will call it YOUR_DOMAIN_ID for the purpose of rest of this blog.

Once you ve the id, you are ready to create the records. This is the place where I used RestClient the most. As the curl errors were random and so not descriptive. Ranging from

Warning: You can only select one HTTP request!

which I think was some issue with the curl format of payload or combination of options to the usual 500 :!

Fourth and Final step:

Lets create the AAAA DNS record!

Ok, so to create the records, the required info can be put using XML or JSON. I used JSON.

The url is

https://dns.api.rackspacecloud.com/v1.0/YOUR_ACCOUNT_ID/domains/YOUR_DOMAIN_ID/records

change the format to POST.

And to add a AAAA record, create a JSON payload like this:

{
"records" : [ { "name" : "ipv6.hackalyst.info", "type" : "AAAA", "data" : "2001:470:1f06:b8c::2"
}, { "name" : "ipv6.hackalyst.info", "type" : "NS", "data" : "dns1.stabletransit.com", "ttl" : 3600
}, { "name" : "ipv6.hackalyst.info", "type" : "NS", "data" : "dns2.stabletransit.com", "ttl" : 3600
}]
}

Change the ipv6.hackalyst.info with your domain/subdomain requirements and the data to your required ipv6. Let the NS data as it is. (I assume you want to add it to your rackspace dns.)

Put the above JSON payload in the Request Body of the RestClient. I had removed the newlines in the actual JSON. Please put your entire JSON in a single line if you face any issues.

And click Send.

Hopefully you should get a GREEN 204 response. This is a asynchronous request to the DNS API. So you can check the status of your this request using the url:

https://dns.api.rackspacecloud.com/v1.0/YOUR_SERVER_ID/status

Remember, every call to the rackspace DNS API need to include the X-Auth-Token header.

Default output/input format is JSON. XML is also available. Please read up the Doc on how to get XML, I didn’t try it.

I hope this works for most of you who need it. Leave a comment if you face any issues. Would be great if someone can provide curl requests for delivering the JSON/XML payload in the POST request!

Before I end the post, I should mention my other attempts of getting the help from the rackspace guys.

I posted a pic to my twitpic account while I contacted the rackspace live chat for the first time. I had put this pic up there as a quick way of sharing it with the customer care person.

Couple of hours later, when I went back to twitter to complain about my failure to create the AAAA record, I found that @rackspace had replied with a support email address. twitter at rackspace dot com.

I immediately sent a mail to the aforesaid mail, to which I got a reply. I had already found the RestClient API and managed to get the records added. Had a pleasant conversation with “Waz”, a rackspace engineer or a racker! Raised a ticket about GUI visibility about visibility of the records added through API. Got the response that the AAAA and TXT records dont show up in the GUI yet. These will be visible when the new DNS GUI is generally available.

So overall, a pleasant experience. Looking forward to native ipv6 support soon!

ipv6

Recently I ve been hearing a lot about ipv6. And rather I ve seen the crunch of ipv4 address in real life. And thats not the only reason why I want to forray into ipv6. Its like the hot thing am trying to get my hands on it right now.
So first and foremost I am trying to use ipv6 in my personal space. Maybe setup my home network on ipv6. And move my blog to a ipv6 host. I am looking for a ipv6 webhost service. The two options I ve found first hand are Hurricane Electric and a VPS provider – build your VPS .

Lets just say, this is the first in the series of upcoming posts about my forray into ipv6. Will keep updating things as and when they happen.
Things I want to do. -
1) Setup up my home network on a high speed wifi (802.11n router)
2) Have a public ipv6 hosted domain.

I guess its time to do what I love.

cheers!
Anshu Prateek