IPv6 benefits?

bikegremlinbikegremlin ModeratorOG
edited December 2019 in Technical

Hosting provider I'm with has enabled the use of IPv6.

I'm using Cloudflare DNS - if that's relevant.

Is there any benefit of adding the appropriate IPv6 (AAAA) DNS records?
Are there any potential complications involved with that?

EDIT:
IPv4 is also still provided with the hosting provider - to avoid any misunderstanding.

BikeGremlin I/O
Mostly WordPress ™

Comments

  • ClouviderClouvider Hosting ProviderOG

    The benefit is that it didn’t run out ;-).

    And sure, go for it, activate :-)!

    Thanked by (2)bikegremlin WSS
  • @Clouvider said:
    The benefit is that it didn’t run out ;-).

    And sure, go for it, activate :-)!

    Edited the original post - for now IPv4 is still also supported with the provider. So it's not a forced move.

    If there are no (potential) downsides, it's a go. :)

    BikeGremlin I/O
    Mostly WordPress ™

  • EmmetEmmet OG
    edited December 2019

    For bandwidth-intensive applications, several networks (especially academic networks) offer unlimited IPv6 throughput. It's generally considered standard practice to offer IPv6 storage repositories for transferring data within the academic community (developed nations). Other transit providers, such as HE.net do not charge for IPv6 transit.

    For security through obscurity purposes, there are significantly fewer port and vulnerability scanners on IPv6 services, such as SSH. If you're getting DDoSed, odds are your server is still accessible by IPv6 because the hosting provider will only null-route the IPv4, allowing you to serve the website, FTP, SSH, etc. via IPv6. If you're hiding behind Cloudflare, this means your website would still work over IPv6, even if your website doesn't have a working IPv4 address. Furthermore, most script kiddies don't know how to DDoS IPv6 services and most software allowing for DDoS aren't written with IPv6 DDoS in mind, stopping attacks from stupid people. There are fewer IPv6 supporting vulnerable DNS and NTP servers that can support a DNS reflection attack too, so any attack on IPv6 addresses would probably be smaller, by a significant magnitude.

    By adopting IPv6, you help spur further adoption, encouraging other ISPs to offer IPv6 to their customers. Making your low-end site IPv6 accessible might be a tiny part of the equation, but it adds up in world-wide service scans that create statistics enabling a business-case for IPv6. It's also futureproofing. Furthermore, each website can get its own IPv6 address.

  • bikegremlinbikegremlin ModeratorOG
    edited December 2019

    @Emmet said:
    For bandwidth-intensive applications, several networks (especially academic networks) offer unlimited IPv6 throughput. It's generally considered standard practice to offer IPv6 storage repositories for transferring data within the academic community (developed nations). Other transit providers, such as HE.net do not charge for IPv6 transit.

    For security through obscurity purposes, there are significantly fewer port and vulnerability scanners on IPv6 services, such as SSH. If you're getting DDoSed, odds are your server is still accessible by IPv6 because the hosting provider will only null-route the IPv4, allowing you to serve the website, FTP, SSH, etc. via IPv6. If you're hiding behind Cloudflare, this means your website would still work over IPv6, even if your website doesn't have a working IPv4 address. Furthermore, most script kiddies don't know how to DDoS IPv6 services and most software allowing for DDoS aren't written with IPv6 DDoS in mind, stopping attacks from stupid people.

    By adopting IPv6, you help spur further adoption, encouraging other ISPs to offer IPv6 to their customers. Making your low-end site IPv6 accessible might be a tiny part of the equation, but it adds up in world-wide service scans that create statistics enabling a business-case for IPv6. It's also futureproofing.

    Yes, for the moment I'm using Cloudflare as both DNS and a proxy.
    However, server connection to Cloudflare's servers is done over IPv4 (because I've only used A records, not AAAA).

    Do you suggest it's better to keep both A and include AAAA, or get rid of A records all together (or is it irrelevant if using Cloudflare as a proxy)?

    Same question for websites no using Cloudflare proxy - use both IPv4 and IPv6, or get rid of IPv4 all together?

    I suppose it's best to keep IPv4 as well for the time being, but suppose it doesn't hurt to ask - being far from an expert.

    BikeGremlin I/O
    Mostly WordPress ™

  • DanielDaniel OG
    edited December 2019

    If you use IPv6 at home, you don't need to use NAT - each device gets its own IP address. Similarly, on VPSes it's very useful if you have multiple Docker or LXC containers as each one can get its own public IP. That's assuming your provider gives you a routed subnet rather than just one address - any provider that knows what they're doing should be including a routed /64 subnet with every VPS.

    SLAAC means IPv6 addresses can be autoconfigured without having to use DHCP.

  • @bikegremlin said: Do you suggest it's better to keep both A and include AAAA, or get rid of A records all together (or is it irrelevant if using Cloudflare as a proxy)?

    Personally I'd get rid of the A record all-together and only use the AAAA record. However, the issue with that is if your server doesn't have good connectivity to a Cloudflare PoP, you would degrade service quality. However, this is exceptionally rare. Once the traffic hits Cloudflare PoP, it's not a big deal since they can serve the content over IPv4 and IPv6 from their own enhanced network.

    Adding onto my previous points, the awesome part of IPv6 is each website you run can get its own IPv6 Interface, so set separate IPv6 AAAA records for each site with a unique IPv6 address.

  • @Daniel said:
    If you use IPv6 at home, you don't need to use NAT - each device gets its own IP address. Similarly, on VPSes it's very useful if you have multiple Docker or LXC containers as each one can get its own public IP. That's assuming your provider gives you a routed subnet rather than just one address - any provider that knows what they're doing should be including a routed /64 subnet with every VPS.

    SLAAC means IPv6 addresses can be autoconfigured without having to use DHCP.

    Didn't note that, sorry, my bad: I'm using shared (reseller) hosting, not a VPS.
    If that makes any difference regarding this topic.

    BikeGremlin I/O
    Mostly WordPress ™

  • edited December 2019

    @bikegremlin said: Didn't note that, sorry, my bad: I'm using shared (reseller) hosting, not a VPS.
    If that makes any difference regarding this topic.

    Just let cloudflare handle everything, cloudflare would have given you a sort of virtual ipv6 address. If site visitors can only access ipv6, cloudflare would proxy the request for them and allow them to browse your site with ipv6. Shared hosting with a panel is meant to be simple and hassle-free. Don't overthink too much when you're dealing with shared hosting.

    Thanked by (2)bikegremlin Emmet
  • Recently my home ISP had an issue that only affected IPv4 - I could still SSH/access all my servers as they have IPv6. Browsing IPv6 still worked, but v4 was down for about an hour.

    I realise that's an unusual case, but I'm counting it as a benefit ;)

    Thanked by (1)bikegremlin
  • FHRFHR Hosting ProviderOG
    edited December 2019

    @bikegremlin said: Edited the original post - for now IPv4 is still also supported with the provider. So it's not a forced move.

    You have to think about the consumer ISP side of things as well though. Some ISPs are v6 only, relying on mechanisms such as 464XLAT and/or CG-NAT to provide IPv4 connectivity. Leveraging native IPv6 means you get to skip having to go through the NAT appliance, potentially improving performance for the end user (albeit very marginally).

    @Emmet said: Other transit providers, such as HE.net do not charge for IPv6 transit.

    HE's throughput is pretty bad and their IX ports are congested at times mind you. So IPv4 might actually be much faster.

    Thanked by (2)bikegremlin Daniel

    SkylonHost.com High Bandwidth European Cloud KVM | AS202297

  • If you can just enable it, of course otherwise not really a benefit.

    Thanked by (1)bikegremlin
  • @Neoon said:
    If you can just enable it, of course otherwise not really a benefit.

    For all I know, Cloudflare already has it enabled for visitor connection to their servers.

    Connection from CF servers to hosting server is IPv4 for now.

    To enable IPv6 connection from hosting to CF servers, I'd (only) need to add matching AAAA records.

    BikeGremlin I/O
    Mostly WordPress ™

  • @bikegremlin said:

    @Neoon said:
    If you can just enable it, of course otherwise not really a benefit.

    For all I know, Cloudflare already has it enabled for visitor connection to their servers.

    Connection from CF servers to hosting server is IPv4 for now.

    To enable IPv6 connection from hosting to CF servers, I'd (only) need to add matching AAAA records.

    I rather do not enable v6 when native is not available then use cloudflare, for reasons.

  • @Neoon said:

    @bikegremlin said:

    @Neoon said:
    If you can just enable it, of course otherwise not really a benefit.

    For all I know, Cloudflare already has it enabled for visitor connection to their servers.

    Connection from CF servers to hosting server is IPv4 for now.

    To enable IPv6 connection from hosting to CF servers, I'd (only) need to add matching AAAA records.

    I rather do not enable v6 when native is not available then use cloudflare, for reasons.

    Native is (now) enabled by the hosting provider.
    Using Cloudflare for other reasons, not for IPv6 connectivity. But it apparently handles that as well.

    BikeGremlin I/O
    Mostly WordPress ™

  • @bikegremlin said:

    @Neoon said:

    @bikegremlin said:

    @Neoon said:
    If you can just enable it, of course otherwise not really a benefit.

    For all I know, Cloudflare already has it enabled for visitor connection to their servers.

    Connection from CF servers to hosting server is IPv4 for now.

    To enable IPv6 connection from hosting to CF servers, I'd (only) need to add matching AAAA records.

    I rather do not enable v6 when native is not available then use cloudflare, for reasons.

    Native is (now) enabled by the hosting provider.
    Using Cloudflare for other reasons, not for IPv6 connectivity. But it apparently handles that as well.

    When I need to cache content, I just use BunnyCDN, which has privacy friendly options and I know who runs and owns it.
    And I see no direct point, to hide your webserver IP, it even breaks TLS at cloudflare and inspects all the data which also breaks the hole concept of TLS.

    Thanked by (1)bikegremlin
  • bikegremlinbikegremlin ModeratorOG
    edited December 2019

    @Neoon said:

    @bikegremlin said:

    @Neoon said:

    @bikegremlin said:

    @Neoon said:
    If you can just enable it, of course otherwise not really a benefit.

    For all I know, Cloudflare already has it enabled for visitor connection to their servers.

    Connection from CF servers to hosting server is IPv4 for now.

    To enable IPv6 connection from hosting to CF servers, I'd (only) need to add matching AAAA records.

    I rather do not enable v6 when native is not available then use cloudflare, for reasons.

    Native is (now) enabled by the hosting provider.
    Using Cloudflare for other reasons, not for IPv6 connectivity. But it apparently handles that as well.

    When I need to cache content, I just use BunnyCDN, which has privacy friendly options and I know who runs and owns it.
    And I see no direct point, to hide your webserver IP, it even breaks TLS at cloudflare and inspects all the data which also breaks the hole concept of TLS.

    Depends on the use case. For my use, the free option provided by CF does more good than harm.

    Or, looking at it from another angle: in the whole mass surveillance banquet, it doesn't make any difference whether a small website from Serbia is also monitored.
    Same goes for using Google AMP.

    EDIT: did check out the BunnyCDN. Looks fine - for an ecommerce site for example, it would surely be a good option.

    BikeGremlin I/O
    Mostly WordPress ™

  • @bikegremlin said:

    @Neoon said:

    @bikegremlin said:

    @Neoon said:

    @bikegremlin said:

    @Neoon said:
    If you can just enable it, of course otherwise not really a benefit.

    For all I know, Cloudflare already has it enabled for visitor connection to their servers.

    Connection from CF servers to hosting server is IPv4 for now.

    To enable IPv6 connection from hosting to CF servers, I'd (only) need to add matching AAAA records.

    I rather do not enable v6 when native is not available then use cloudflare, for reasons.

    Native is (now) enabled by the hosting provider.
    Using Cloudflare for other reasons, not for IPv6 connectivity. But it apparently handles that as well.

    When I need to cache content, I just use BunnyCDN, which has privacy friendly options and I know who runs and owns it.
    And I see no direct point, to hide your webserver IP, it even breaks TLS at cloudflare and inspects all the data which also breaks the hole concept of TLS.

    Depends on the use case. For my use, the free option provided by CF does more good than harm.

    Or, looking at it from another angle: in the whole mass surveillance banquet, it doesn't make any difference whether a small website from Serbia is also monitored.
    Same goes for using Google AMP.

    EDIT: did check out the BunnyCDN. Looks fine - for an ecommerce site for example, it would surely be a good option.

    There is a difference between metadata and reading all of its contents.
    So no.

  • @Neoon said:

    @bikegremlin said:

    @Neoon said:

    @bikegremlin said:

    @Neoon said:

    @bikegremlin said:

    @Neoon said:
    If you can just enable it, of course otherwise not really a benefit.

    For all I know, Cloudflare already has it enabled for visitor connection to their servers.

    Connection from CF servers to hosting server is IPv4 for now.

    To enable IPv6 connection from hosting to CF servers, I'd (only) need to add matching AAAA records.

    I rather do not enable v6 when native is not available then use cloudflare, for reasons.

    Native is (now) enabled by the hosting provider.
    Using Cloudflare for other reasons, not for IPv6 connectivity. But it apparently handles that as well.

    When I need to cache content, I just use BunnyCDN, which has privacy friendly options and I know who runs and owns it.
    And I see no direct point, to hide your webserver IP, it even breaks TLS at cloudflare and inspects all the data which also breaks the hole concept of TLS.

    Depends on the use case. For my use, the free option provided by CF does more good than harm.

    Or, looking at it from another angle: in the whole mass surveillance banquet, it doesn't make any difference whether a small website from Serbia is also monitored.
    Same goes for using Google AMP.

    EDIT: did check out the BunnyCDN. Looks fine - for an ecommerce site for example, it would surely be a good option.

    There is a difference between metadata and reading all of its contents.
    So no.

    Not sure I follow.

    How would I get any problems, or how would Cloudflare get any benefits from reading my website data?
    It is all publicly published anyway.
    Passwords used are unique for the website. It would be suicidal for their business plan to abuse those.
    Emails?
    Didn't get any spam so far, after now about 2 years of using the service, so guess emails aren't sold in that way, not yet.

    What should I be weary about?

    For all I know, unlike Google, CF's business plan is based on upsales, not on selling customer data.

    Also, if using any sort of social network, mobile phone and paying with a card - that should provide more than enough meta data for anyone interested. While being very hard to avoid using these days.

    BikeGremlin I/O
    Mostly WordPress ™

  • @bikegremlin said:

    @Neoon said:

    @bikegremlin said:

    @Neoon said:

    @bikegremlin said:

    @Neoon said:

    @bikegremlin said:

    @Neoon said:
    If you can just enable it, of course otherwise not really a benefit.

    For all I know, Cloudflare already has it enabled for visitor connection to their servers.

    Connection from CF servers to hosting server is IPv4 for now.

    To enable IPv6 connection from hosting to CF servers, I'd (only) need to add matching AAAA records.

    I rather do not enable v6 when native is not available then use cloudflare, for reasons.

    Native is (now) enabled by the hosting provider.
    Using Cloudflare for other reasons, not for IPv6 connectivity. But it apparently handles that as well.

    When I need to cache content, I just use BunnyCDN, which has privacy friendly options and I know who runs and owns it.
    And I see no direct point, to hide your webserver IP, it even breaks TLS at cloudflare and inspects all the data which also breaks the hole concept of TLS.

    Depends on the use case. For my use, the free option provided by CF does more good than harm.

    Or, looking at it from another angle: in the whole mass surveillance banquet, it doesn't make any difference whether a small website from Serbia is also monitored.
    Same goes for using Google AMP.

    EDIT: did check out the BunnyCDN. Looks fine - for an ecommerce site for example, it would surely be a good option.

    There is a difference between metadata and reading all of its contents.
    So no.

    Not sure I follow.

    How would I get any problems, or how would Cloudflare get any benefits from reading my website data?
    It is all publicly published anyway.
    Passwords used are unique for the website. It would be suicidal for their business plan to abuse those.
    Emails?
    Didn't get any spam so far, after now about 2 years of using the service, so guess emails aren't sold in that way, not yet.

    What should I be weary about?

    For all I know, unlike Google, CF's business plan is based on upsales, not on selling customer data.

    Also, if using any sort of social network, mobile phone and paying with a card - that should provide more than enough meta data for anyone interested. While being very hard to avoid using these days.

    https://www.reddit.com/r/privacy/comments/41cb4k/be_careful_with_cloudflare/

    It does not matter what kind of website you are running, just run it without cloudflare, I see no point using it.

    Thanked by (1)bikegremlin
  • @Neoon said:

    @bikegremlin said:

    @Neoon said:

    @bikegremlin said:

    @Neoon said:

    @bikegremlin said:

    @Neoon said:

    @bikegremlin said:

    @Neoon said:
    If you can just enable it, of course otherwise not really a benefit.

    For all I know, Cloudflare already has it enabled for visitor connection to their servers.

    Connection from CF servers to hosting server is IPv4 for now.

    To enable IPv6 connection from hosting to CF servers, I'd (only) need to add matching AAAA records.

    I rather do not enable v6 when native is not available then use cloudflare, for reasons.

    Native is (now) enabled by the hosting provider.
    Using Cloudflare for other reasons, not for IPv6 connectivity. But it apparently handles that as well.

    When I need to cache content, I just use BunnyCDN, which has privacy friendly options and I know who runs and owns it.
    And I see no direct point, to hide your webserver IP, it even breaks TLS at cloudflare and inspects all the data which also breaks the hole concept of TLS.

    Depends on the use case. For my use, the free option provided by CF does more good than harm.

    Or, looking at it from another angle: in the whole mass surveillance banquet, it doesn't make any difference whether a small website from Serbia is also monitored.
    Same goes for using Google AMP.

    EDIT: did check out the BunnyCDN. Looks fine - for an ecommerce site for example, it would surely be a good option.

    There is a difference between metadata and reading all of its contents.
    So no.

    Not sure I follow.

    How would I get any problems, or how would Cloudflare get any benefits from reading my website data?
    It is all publicly published anyway.
    Passwords used are unique for the website. It would be suicidal for their business plan to abuse those.
    Emails?
    Didn't get any spam so far, after now about 2 years of using the service, so guess emails aren't sold in that way, not yet.

    What should I be weary about?

    For all I know, unlike Google, CF's business plan is based on upsales, not on selling customer data.

    Also, if using any sort of social network, mobile phone and paying with a card - that should provide more than enough meta data for anyone interested. While being very hard to avoid using these days.

    https://www.reddit.com/r/privacy/comments/41cb4k/be_careful_with_cloudflare/

    It does not matter what kind of website you are running, just run it without cloudflare, I see no point using it.

    I am aware the data is decrypted on their servers, then re-encrypted on.
    My websites work perfectly fine with TOR browser - no captchas. Suppose this goes when you enable "I'm under attack" mode.

    I have set it all up so that I can switch back to using CF as a DNS only, or even completely switch from it to another (free) DNS service (Hurricane Electric is my first pick - are there any problems with that one?).

    But so far, I'm yet to experience any downsides of CF, at least for my use case.

    BikeGremlin I/O
    Mostly WordPress ™

  • NeoonNeoon OG
    edited December 2019

    There was a discussion on LET about HE, that some results got manipulated, so I would not recommend using them.
    I mostly use own dns servers, besides Rage4, which is Paid, maybe try:

    https://freedns.afraid.org/
    https://zilore.com/en

    These days you can spend 15$/y and get 2 KVM's put NSD on that and you are set.

    Thanked by (1)bikegremlin
  • @Neoon said:
    There was a discussion on LET about HE, that some results got manipulated, so I would not recommend using them.

    In which way would HE manipulate the DNS?

    (can’t find the thread on the other side)

  • NeoonNeoon OG
    edited December 2019

    @debaser said:

    @Neoon said:
    There was a discussion on LET about HE, that some results got manipulated, so I would not recommend using them.

    In which way would HE manipulate the DNS?

    (can’t find the thread on the other side)

    It was a while back, the issue was that HE responded to not existing entries on their public DNS servers basically with their own.
    What some ISP's do, if you are using the default DNS servers, they simply should not do that.

    If a subdomain or domain does not exist, it should not result in a response.
    People talked about this on LET, but I cannot find it now.

    Thanked by (2)Daniel debaser
  • @Neoon said:

    @debaser said:

    @Neoon said:
    There was a discussion on LET about HE, that some results got manipulated, so I would not recommend using them.

    In which way would HE manipulate the DNS?

    (can’t find the thread on the other side)

    It was a while back, the issue was that HE responded to not existing entries on their public DNS servers basically with their own.
    What some ISP's do, if you are using the default DNS servers, they simply should not do that.

    If a subdomain or domain does not exist, it should not result in a response.
    People talked about this on LET, but I cannot find it now.

    Test samples are important. When I find a problem, I (most often, unless it's really minor and I won't bother) write down how to reproduce it and confirm. That usually helps with troubleshooting.

    BikeGremlin I/O
    Mostly WordPress ™

  • I have a domain hosted on HE's dns, and it reply correctly with Non-existent domain

  • edited December 2019

    I think we'll be all dead when ipv6 goes fully mainstream.
    Like in more than 25-50 years or so.

    Anyhow, @bikegremlin you remind me of bandits phoenix rising (Бандиты Безумный Маркс).
    Of which i am unable to find the Linux port and wine does a terrible, horrible ~0.3fps job in this particular case, can't get past the menu, which itself is at such low fps.
    I found only a screenshot of the Linux game loader... So it existed, at least as a beta of some sort.

    Educationally teaches you with knowledge, while you learn and conglomeratively alluminate your academic intellectual profile: https://lowend.wiki
    „Homo homini rattus.“

  • NeoonNeoon OG
    edited December 2019

    @bikegremlin said:

    @Neoon said:

    @debaser said:

    @Neoon said:
    There was a discussion on LET about HE, that some results got manipulated, so I would not recommend using them.

    In which way would HE manipulate the DNS?

    (can’t find the thread on the other side)

    It was a while back, the issue was that HE responded to not existing entries on their public DNS servers basically with their own.
    What some ISP's do, if you are using the default DNS servers, they simply should not do that.

    If a subdomain or domain does not exist, it should not result in a response.
    People talked about this on LET, but I cannot find it now.

    Test samples are important. When I find a problem, I (most often, unless it's really minor and I won't bother) write down how to reproduce it and confirm. That usually helps with troubleshooting.

    I read about it, that's all, if you want test samples, then lookout for the original thread.

    Thanked by (1)bikegremlin
  • @Janevski said:
    I think we'll be all dead when ipv6 goes fully mainstream.
    Like in more than 25-50 years or so.

    Anyhow, @bikegremlin you remind me of bandits phoenix rising (Бандиты Безумный Маркс).
    Of which i am unable to find the Linux port and wine does a terrible, horrible ~0.3fps job in this particular case, can't get past the menu, which itself is at such low fps.
    I found only a screenshot of the Linux game loader... So it existed, at least as a beta of some sort.

    Don't understand the second paragraph.

    BikeGremlin I/O
    Mostly WordPress ™

  • edited December 2019

    @bikegremlin said:
    Don't understand the second paragraph.

    The cog in your avatar reminds me of a game.

    Basically, it's all shit (posting) and the universe is my a canvas.
    And if, something good ever comes out of it, i'll be happy.
    It will be funny in the olden days, when dementia and smells set in.
    Besides, what's the point of liberty if one can't live it, freely?
    Everything is interlieved now, man can't even find a decent caggabe.
    It's all spliced and interpolated together.

    In the words of the great thinker, @deank, "The end is, approximately, five to twelve."
    So, it's the little things... but, does it even matter?

    Thanked by (1)bikegremlin

    Educationally teaches you with knowledge, while you learn and conglomeratively alluminate your academic intellectual profile: https://lowend.wiki
    „Homo homini rattus.“

  • I use IPv6 to serve SSH and Wireguard. This way my IPv4 only has HTTP. Very comfy

Sign In or Register to comment.

This Site is currently in maintenance mode.
Please check back here later.

→ Site Settings