FRITZ!Box and DynDNS and IPv6
Here is a very interesting security feature of FRITZ!Box you might run into, if you are using a DynDNS service with IPv6. At first, I thought, the DynDNS service doesn’t work correctly. However, it turned out, that this is a security feature.
Let’s say, you have an ISP which provides you with a native IPv6 connection. You’ll receive
a IPv6 prefix, e.g. 2001:DB8:1234:5600::/56
. But this is not a static prefix, it will change
over time, like everytime you reconnect. So, you are still needing a DynDNS service, which
maps your current global routable IP address to a nice name.
While the configuration of the DynDNS service works like a charm, using it later on within
your own network (behind the FRITZ!Box) does not work. It won’t resolve the dynamic domain name.
You’ll see just a timeout and in the end, the software will tell you “Host not found”. If you try
it from the command line, e.g. with host hostname.dyndns.example.com
you’ll notice an error like
“No DNS servers were reachable”. However, if you try to resolve it from outside your network,
it just works and it resolves to your local (but still global routable) IPv6 address.
After a lot of digging, I found the answer on superuser.com:
For safety reasons, no DNS resolution of private IP addresses
If a DNS query from a DNS server on the Internet is answered with an IP address from the FRITZ!Box home network, the FRITZ!Box does not forward this DNS reply to the network device. This is a security feature of the FRITZ!Box to protect you from so-called “DNS rebinding attacks”
This obviously applies to IPv6 addresses, too. Luckily there is a configuration option to exclude specific domain names from this security feature, which is described in the comment below. Here’s a screenshot from the FRITZ!Box:
You can reach this configuration option in the advanced view (“Ansicht: Erweitert”) via: Home Network (“Heimnetz”), the tab Network Settings (“Netzwerkeinstellungen”) and scroll down to Domain Name Exceptions field (“Domainname-Ausnahmen”).
By the way, the great thing about IPv6 is, that you are using the same address - whether you are in your network or outside. So, you can reach your server via the same DynDNS hostname, but if your are inside your network, the access will be just faster, because the network packets will flow directly to the server. That’s unfortunately not possible with IPv4, because you usually don’t get several globally routable addresses but only one, and your server is behind a NAT router.
Comments
h1rokun
Thanks a lot for this, I was wondering why my IPv6 DNS would resolve outside my network but not from within.
moussa ndiaye
God bless you. you saved my head. I just found a solution to my problem that I can not solve for 4 days
Leave a comment
Your email address will not be published. Required fields are marked *. All comments are held for moderation to avoid spam and abuse.