Disabling IPV6 in .NET Core

dotnet / runtime

.NET is a cross-platform runtime for cloud, mobile, desktop, and IoT apps.

https://docs.microsoft.com/dotnet/core/

MIT License

15.27k stars 4.73k forks source link

Disabling IPV6 in .NET Core #107979

Open ansulhere opened 1 month ago

ansulhere commented 1 month ago

Is there an existing issue for this?

[X] I have searched the existing issues

Describe the bug

On .NET 6 alpine images, the setting to Disable IPv6 has no impact if the remote resource/URL does not have a Quad A DNS record. Such an outbound request fails with System.Net.Http.HttpRequestException: Resource temporarily unavailable (remote_url) Inner Exception : System.Net.Sockets.SocketException (11) : Resource temporarily unavailable.

The following setting "System.Net.DisableIPv6" : true has been tried and this does not seem to have any impact.

For Java applications calling the same remote url, the following setting disables ipv6 attempts and only ipv4 is attempted: ENTRYPOINT ["java", "-Djava.net.preferIPv4Stack=true", "-Djava.security.egd=file:/dev/./urandom", "-jar", "/app.jar"]

Expected Behavior

No response

Steps To Reproduce

No response

Exceptions (if any)

No response

.NET Version

No response

Anything else?

No response

martincostello commented 1 month ago

Looks like this issue should be transferred to dotnet/runtime as it doesn't appear to be specific to ASP.NET Core.

amcasey commented 1 month ago

Yeah, let's start with runtime, though this may end up on docker-tools.

avarakin commented 1 month ago

I think it needs to be addressed in dotnet/runtime, as @martincostello indicated. The runtime itself should be capable of disabling IPV6 so we do not depend on container or OS configurations, which may not always work, as happened here. P.S. I work for the company (WU) , where this issue was encountered and reported to @ansulhere as a support ticket.

dotnet-policy-service[bot] commented 1 month ago

Tagging subscribers to this area: @dotnet/ncl See info in area-owners.md if you want to be subscribed.

dotnet-policy-service[bot] commented 1 month ago

Tagging subscribers to this area: @dotnet/ncl See info in area-owners.md if you want to be subscribed.

antonfirsov commented 1 month ago

This is an issue in System.Net.NameResolution. When DisableIPv6=true, we are filtering out V6 results after resolution: https://github.com/dotnet/runtime/blob/51bd2b970a90b0c12e59d4b904b9641491cc60af/src/libraries/System.Net.NameResolution/src/System/Net/NameResolutionPal.Unix.cs#L89 https://github.com/dotnet/runtime/blob/51bd2b970a90b0c12e59d4b904b9641491cc60af/src/libraries/System.Net.NameResolution/src/System/Net/NameResolutionPal.Windows.cs#L309

Instead, we should restrict the AF in the getaddrinfo(ex) calls. We should attempt changing this for .NET 10.