Re: [squid-users] Squid Sending AAAA DNS queries

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 28 Jul 2013 00:43:34 +1200

On 27/07/2013 10:57 p.m., Golden Shadow wrote:
> Hi Amos,
>
> Thanks a lot for your detailed reply.
>
> I have disabled IPv6 on my Centos 6.4 squid server by setting:
>
> net.ipv6.conf.all.disable_ipv6 = 1
> net.ipv6.conf.default.disable_ipv6 = 1

Which prevents IPv6 packets going out any of your NIC. That is all.
  * your box is prevented from announcing its existence on the subnet
(IPv6 equivalent of ARP is blocked)
  * your box is prevented testing for duplicate IPv6 assignments on the
subnet (IPv6 equivalent of DHCP auto-assignment fails)
  * attempting to send other packets over IPv6 fails due to lack of the
above.

Result: IPv6 does not work ... "its disabled!" ... or not.

Meanwhile to all intents and purposes (for inbound traffic) IPv6
functionality is active and responding. Including Squids probe, which
consists of opening a socket and attempting several basic socket
operations on it to probe the nature of the stack. Given that this
CentOS you may even see Squid listening on :::3128 and sending/receiving
IPv4 traffic there (IPv6 traffic will arrive, but the SYN-ACK packet
will be dropped ... making the far end hang for *up to 75 seconds*
before it can retry using IPv4).

    ==> IPv6 going slow? Always turns out to be administrative error has
incorrectly configured a machine somewhere along the routing path to
play games with IPv6 traffic like the above.

Life Lesson: There is no way to fully disable IPv6 in modern kernels any
more than it is possibel to disable IPv4, and for the same reasons.
Short of building that kernel and all software you intend to run on it
specifically without IPv6 capabilities you are stuck with it.

The next closest thing for you however is to do those settings you have
above *AND* to add ipv6.disable=1 as a boot parameter to the kernel
command line which is in /boot/grub/grub.conf (assuming you use GRUB
loader). Then reboot.

> in my sysctl.conf, rebooted the server but still I see AAAA records are being sent out by squid!

Because DNS is using IPv4 to send them. IPv4 is still enabled on your
network. Best turn that off too!
   (sorry could not resist, spent far too much time trolling through
forums of people with stupid reasons for disabling IPv6 to find that
kernel setting again).

Amos
Received on Sat Jul 27 2013 - 12:43:49 MDT

This archive was generated by hypermail 2.2.0 : Sat Jul 27 2013 - 12:00:19 MDT