AAAA DNS for IPv6

I have IPv6 available with a fixed IP and a either a /64 or /48 (stil learning...). This is alongside my IPv4 /29 (giving me 5 useable addresses.)

If I was to lose my additional IPv4 addresses could I continue as normal but on IPv6?

With an AAAA record set up to point to a host on my LAN, can everyone on the Interwebs access it? Or does this depend on their ISP providing IPv6 to their connection?

For example I noticed the other day that on a connection via Vodafone mobile I had an IPv4 address but no IPv6. Would that mean I couldn't access any hosts whiich have an IPv6 address?

Or am I completly misunderstanding AAAA records and the whole IPv6 business?!

DNS is really just a directory for clients to lookup address records (amongst other things). The client must have the underlying connectivity in-place to be able to connect to any address returned.

Some IPv4 clients can access IPv6 hosts using bridging protocols (Toredo, etc) or a proxy, but generally speaking an IPv4-only client will not be able to connect to an IPv6 address even if it can lookup the address in DNS. The reverse is also true. Clients need to talk the same language to communicate.

Right so if I set a mailserver on IPv6 I wouldn't be able to get mail on my phone when using Vodafone.
So I still want my extra IPv4 addresses. IPv6 is of no use to me until everyone uses it.

But I do see I am connecting with sites via IPv6 from my landline connection. I guess because I have both IPv4 and 6. But it's of no extra advantage? Its not as if it makes things quicker or more efficient. Or does it?

A mail server that was only connected via IPv6 would be severely limited. There are some IPv6 enabled servers around (mine is, GMail is) but most are still only using IPv4.

My mail server is available via both protocols but when I've looked at the logs only a few connections are IPv6. The only advantage to supporting IPv6 is that there might eventually be mail servers that only support that protocol (Asia and Africa I believe are mostly IPv6). Personally I think it'll be a long, long time before mail servers have to support IPv6 and even longer if ever before they can drop IPv4.

Edited by Andrue (Sun 11-Feb-24 16:24:55)

In reply to a post by Woolwich:

With an AAAA record set up to point to a host on my LAN, can everyone on the Interwebs access it? Or does this depend on their ISP providing IPv6 to their connection?

If your server has only an IPv6 address and no IPv4 address, then only clients with an IPv6 address will be able to access it.

To solve this, what I do is to share my one public IPv4 address between multiple servers, using a reverse proxy. There are various options, but I use sniproxy on port 80 and 443, and dnsdist on port 53.

In the DNS, you put your server's own IPv6 address as the AAAA record, and the reverse proxy's IPv4 address in the A record. You then configure the proxy to forward incoming traffic for a given hostname to the appropriate IPv6 address. sniproxy uses the TLS SNI information on port 443, and the HTTP Host: header for port 80.

sniproxy will also work for any protocol which establishes TLS immediately on connection, such as IMAPS on port 995, POP3S on port 993, and SMTPS on port 465. Since it sniffs the TLS information and passes the whole connection on, it does decrypting the session and does not need its own certificates.

I think haproxy can work in the same way.

In reply to a post by candlerb:

what I do is to share my one public IPv4 address between multiple servers, using a reverse proxy.

Yes, reverse poxy. I've used it on a Synology NAS and it's a bit opaque to me. Or maybe I was asking the Interwebs instead of RTFM. But yes, but no. With two servers I could have my router send requests for the mail server to NAS 1 using port forwarding while NAS 2 takes care of whatever other service I may or may not be using.

So really I can just ignore the whole IPv6 thing and if I lose my extra IPv4s no big deal.

Sure, you can also do the reverse proxy thing with IPv4 only, by forwarding to private IPv4 addresses internally.

You can only have one mail server on port 25 - but you can expose one "public" mail server on port 25, which in turn has rules for forwarding different domains to different internal mail servers.

Where using IPv6 wins is that incoming connections from IPv6 users will bypass the reverse proxy and connect directly to the target server. This has two advantages:

1. less load on the proxy itself (maybe one day dropping to zero, in the long-distant future where everyone has IPv6)

2. better visibility of the source addresses of incoming connections, at least from IPv6 users

There *are* tricks you can use to learn the true source IPv4 address of connections via a proxy. One of those is for your backend server to support the Proxy Protocol, where each TCP connection sends an extra header with the source IP address. But that means modifying your backend services to turn on proxy protocol support (not all do). Another is to embed the source IPv4 address inside a fake IPv6 source address.