DNS resolver prefers IPv6 CNAME in search list over IPv4 response

hackedd asked:

One of my my domains (lets say hackedd.nl) has a catch-all CNAME record pointing to hackedd.nl, which has both A and AAAA records. This all seems to work fine.

However, if the /etc/resolv.conf file on my server has a line specifying search hackedd.nl, the resolver seems to prefer the IPv6 CNAME over an actual IPv4 A reply for servers that don’t have an IPv6 address. For example:

curl -vsI http://security.ubuntu.com/ >/dev/null
* About to connect() to security.ubuntu.com port 80 (#0)
*   Trying 2a02:2770::21a:4aff:fecb:a0f8... connected

Where 2a02:2770::21a:4aff:fecb:a0f8 is the server’s own IPv6 Address…

Is there any way to make the resolver try IPv4 before trying the search list?

My answer:

This is working as designed.

Preferring IPv6 over IPv4 is the default configuration for most computers. To use IPv4 instead of IPv6, the computer must be specifically set up for this (varies by OS).

If you want specific hostnames to be inaccessible via IPv6, then you’ll have to remove the wildcard CNAME and use records only for the specific hosts you want to be accessible via IPv6.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.