IPv6 not preferred

[celle1234]

I have a Google Pixel 6a with Android 14. I want that ipv6 is preferred as in any other operating system. If I use the DNS mode only ipv6 is preferred. If I use dns and firewall mode ipv6 is not preferred anymore, but working if a address is ipv6 only. I think it is because of the ULA address of the VPN Interface and the routing decision of android like like Linux with /etc/gai.conf.

For testing I changed the template for the ipv6 address in app/src/main/java/com/celzero/bravedns/service/BraveVPNService.kt

// IPv6 vpn constants
// Randomly generated unique local IPv6 unicast subnet prefix, as defined by RFC 4193.
//private const val IPV6_TEMPLATE: String = "fd66:f83a:c650::%d"
private const val IPV6_TEMPLATE: String = "2001:db8::%d"
private const val IPV6_PREFIX_LENGTH: Int = 64
//private const val IPV6_PREFIX_LENGTH: Int = 120

This seems to works now. Ipv6 is preferred if a name is dual stack.

But then there is another problem. In the overview is shown, that I use the fallback dns. In the normal logs it seems that the system dns is used as expected.

[ignoramous]

2001:db8::

Hmmm... but this isn't a valid global unicast IPv6 address, either.

In the overview is shown, that I use the fallback dns. In the normal logs it seems that the system dns is used as expected.

• Does this never go away? As in, is it shown only for brief amount of time or forever?
• What DNS are you using?

[celle1234]

2001:db8::

Hmmm... but this isn't a valid global unicast IPv6 address, either.

Yes I know, that this is a address for documentation, but I need a global unicast address which is not used somewhere else. Teredo addresses 2001:: /32 does not work. What is a possible global unicast address which is not used somewhere?

In the overview is shown, that I use the fallback dns. In the normal logs it seems that the system dns is used as expected.

* Does this never go away? As in, is it shown only for brief amount of time or forever?

* What DNS are you using?

I use my local dnsmasq on the openwrt router, which forwards traffic to a local unbound. It is queried via ipv4, so I have better stats because of privacy extension in ipv6.

For me it seems to be a ui error because in the stats the queried DNS Server is shown.

[ignoramous]

use my local dnsmasq on the openwrt router, which forwards traffic to a local unbound

Are you using it as "System DNS" or setting up a new "DNS Proxy" instance that connects to dnsmasq?

For me it seems to be a ui error

Likely. Fallback DNS is only used when user-selected DNS cannot be setup. This instance should be rare except for "System DNS".

[celle1234]

Are you using it as "System DNS" or setting up a new "DNS Proxy" instance that connects to dnsmasq?

I use the system dns option. If I set my local dns via other dns there is no error show, but as it is a local dns it does not help, when I am not at home.

For me it seems to be a ui error

Likely. Fallback DNS is only used when user-selected DNS cannot be setup. This instance should be rare except for "System DNS".

The error with using fallback does not go away, but it works. Another thing I mention. If I start the dns/firewall service the error comes after some time. If I change the visable app to another and then back the error is show immediately.

If i change the code in app/src/full/java/com/celzero/bravedns/ui/fragment/HomeScreenFragment.kt so the error is not shown the speed of the dns server somtimes changes. I don't understand the code for the ui. Changing the timeouts does not help.

    if (VpnController.isOn()) {
       val status = VpnController.getDnsStatus(id)
       // status null means the dns transport is not available / different id is usedE
       if (status == null) {
           if (retryCountForDnsStatus < 5) {
               retryCountForDnsStatus++
               delay(TimeUnit.SECONDS.toMillis(1), lifecycleScope) {
                   if (isAdded) {
                       updateUiWithDnsStates(dnsName)
                   }
               }
           }
           //b.fhsCardDnsLatency.visibility = View.VISIBLE
           //b.fhsCardDnsFailure.visibility = View.GONE
           b.fhsCardDnsLatency.visibility = View.GONE
           b.fhsCardDnsFailure.visibility = View.VISIBLE
           b.fhsCardDnsFailure.text = getString(R.string.failed_using_default)
           b.fhsCardDnsLatency.isSelected = true
       } else {
           b.fhsCardDnsLatency.visibility = View.VISIBLE
           b.fhsCardDnsFailure.visibility = View.GONE
       }
   }

Also if the error with fallback dns is shown, disable and reenable the dns/firewall does not help. Only changing the dns to not be system dns works (also to custom dns which ist the ip of the system dns).

Regardless of the status in ui the system dns seems to work.

[ignoramous]

Thanks, we'll take a look.

[celle1234]

I think we should use a global ipv6 address, which is not used anywhere for production. According to https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml the best I can find is the range for benchmarking - 2001:2::/48. What do you think?

[ignoramous]

Rethink adds the default IPv6 route :: and that should be enough, no? Also: I don't see how assigning public IPv6 address for the VPN interface changes anything? Typically, on a dual-stack network, the preference for v4 vs v6 is determined by Happy Eyeballs v2 / v3.

[celle1234]

The problem is https://www.rfc-editor.org/rfc/rfc6724#section-2.1. The default policy table prefers ipv4 over ipv6 ULA addresses.

Does default ipv6 selection work for you for a dual-stacked site like http://dual.tlund.se/ ?