IPv6 DNS failures can be frustrating and difficult to diagnose. When AAAA record queries fail or time out, users may experience slow page loads, connection errors, or complete inability to reach IPv6-enabled websites. This guide provides a comprehensive approach to diagnosing and resolving IPv6 DNS issues.
IPv6 DNS failures typically manifest in several ways:
Before diving into complex troubleshooting, start with a quick connectivity check:
Visit test-ipv6.run to run a comprehensive IPv6 connectivity test. This tool will:
If the test shows "broken IPv6" (IPv6 configured but timing out), DNS issues are likely a symptom of broader IPv6 connectivity problems.
Test basic DNS resolution for both protocols:
# Test IPv4 DNS resolution
dig A google.com
# Test IPv6 DNS resolution
dig AAAA google.com
# Force query over IPv6 transport
dig -6 AAAA google.com
If IPv4 works but IPv6 fails or times out, you have an IPv6-specific DNS issue.
The dig command is the most powerful tool for DNS troubleshooting:
# Query AAAA record for a domain
dig AAAA example.com
# Query using a specific DNS server over IPv6
dig -6 AAAA example.com @2001:4860:4860::8888
# Trace the full resolution path
dig +trace AAAA example.com
# Check DNSSEC validation
dig +dnssec AAAA example.com
# Show which DNS server responded
dig +nsid AAAA example.com
# Get detailed timing information
dig +stats AAAA example.com
For Windows users or simpler queries:
# Basic AAAA query
nslookup -type=AAAA example.com
# Query specific DNS server
nslookup -type=AAAA example.com 2001:4860:4860::8888
# Interactive mode for multiple queries
nslookup
> set type=AAAA
> server 2001:4860:4860::8888
> example.com
Linux/macOS:
# View configured DNS servers
cat /etc/resolv.conf
# macOS-specific DNS configuration
scutil --dns
# Check IPv6 routing
ip -6 route | egrep -i "default|2000::/3"
# Test connectivity to DNS server
ping6 2001:4860:4860::8888
Windows:
# Show DNS server configuration
ipconfig /all
# Display DNS resolver cache
ipconfig /displaydns
# Flush DNS cache
ipconfig /flushdns
# Test connectivity to IPv6 DNS server
ping 2001:4860:4860::8888
Problem: Firewalls blocking outbound or inbound UDP/TCP port 53 traffic over IPv6.
Diagnosis:
# Test if port 53 UDP is reachable over IPv6
tracepath6 -p 53 2001:4860:4860::8888
# Linux: Check firewall rules
ip6tables -L -n -v
# Windows: Check Windows Firewall
netsh advfirewall firewall show rule name=all | findstr "53"
Solution:
Linux (ip6tables):
# Allow outbound DNS queries
sudo ip6tables -A OUTPUT -p udp --dport 53 -j ACCEPT
sudo ip6tables -A OUTPUT -p tcp --dport 53 -j ACCEPT
# Allow inbound DNS responses
sudo ip6tables -A INPUT -p udp --sport 53 -j ACCEPT
sudo ip6tables -A INPUT -p tcp --sport 53 -j ACCEPT
Windows: Open Windows Firewall with Advanced Security and ensure DNS (port 53 UDP/TCP) is allowed for both inbound and outbound IPv6 traffic.
Router/Firewall: Check that IPv6 DNS traffic is not being blocked at the network edge. Many consumer routers have IPv6 firewall rules that are too restrictive by default.
Important: Modern DNS requires both UDP and TCP port 53. With DNSSEC and IPv6 deployment, DNS responses can exceed 512 bytes, requiring TCP fallback.
Problem: DNS server doesn't respond to AAAA queries, but A queries work fine.
Diagnosis:
# Time how long AAAA query takes
time dig AAAA example.com @your-dns-server
# Compare with A record timing
time dig A example.com @your-dns-server
If AAAA queries consistently time out (>5 seconds) while A queries succeed quickly, your DNS resolver may have issues with IPv6.
Solution:
Try alternative DNS servers:
2001:4860:4860::8888 and 2001:4860:4860::88442606:4700:4700::1111 and 2606:4700:4700::10012620:fe::fe and 2620:fe::9Update your DNS configuration:
Linux (systemd-resolved):
Edit /etc/systemd/resolved.conf:
[Resolve]
DNS=2001:4860:4860::8888 2001:4860:4860::8844
FallbackDNS=2606:4700:4700::1111 2606:4700:4700::1001
Then restart: sudo systemctl restart systemd-resolved
macOS:
networksetup -setdnsservers Wi-Fi 2001:4860:4860::8888 2001:4860:4860::8844
Windows:
netsh interface ipv6 set dnsservers "Ethernet" static 2001:4860:4860::8888 primary
netsh interface ipv6 add dnsservers "Ethernet" 2001:4860:4860::8844 index=2
Problem: DNS daemon not listening on IPv6 interface, or misconfigured to reject AAAA queries.
Diagnosis:
# Check if DNS server is listening on IPv6
netstat -ln | grep :53
# Should show something like:
# udp6 0 0 ::1:53 :::*
# tcp6 0 0 ::1:53 :::*
Solution:
If running your own DNS server (BIND, Unbound, dnsmasq):
BIND:
Edit /etc/named.conf or /etc/bind/named.conf:
options {
listen-on-v6 { any; };
};
Unbound:
Edit /etc/unbound/unbound.conf:
server:
do-ip6: yes
interface: ::0
dnsmasq:
Edit /etc/dnsmasq.conf:
listen-address=::1
Restart the DNS service after making changes.
Problem: DNSSEC validation fails for IPv6 queries but succeeds for IPv4, or fails due to zone signing issues.
Diagnosis:
# Check if DNSSEC is causing the failure
dig +dnssec AAAA example.com
# Look for "SERVFAIL" status or missing RRSIG records
# Compare DNSSEC validation over IPv4 vs IPv6
dig -4 +dnssec AAAA example.com
dig -6 +dnssec AAAA example.com
Common DNSSEC error messages:
Solution:
Temporary workaround: Query without DNSSEC validation:
dig +cd AAAA example.com # cd = checking disabled
Fix systemd-resolved DNSSEC issues:
Edit /etc/systemd/resolved.conf:
[Resolve]
DNSSEC=allow-downgrade
# or completely disable if necessary:
# DNSSEC=no
Switch to DNS servers with better DNSSEC support: Some public DNS resolvers handle DNSSEC validation more reliably than others.
Check for known bugs: PowerDNS Recursor 4.1 has a bug causing IPv6 PTR lookups to fail with DNSSEC enabled. Upgrade if affected.
Problem: On Windows, IPv6 transition technologies (Teredo, 6to4, ISATAP) can interfere with DNS resolution.
Diagnosis:
# Check status of IPv6 transition technologies
netsh interface teredo show state
netsh interface 6to4 show state
netsh interface isatap show state
Solution:
If you have native IPv6 or don't need these technologies:
# Disable transition technologies
netsh interface teredo set state disabled
netsh interface 6to4 set state disabled
netsh interface isatap set state disabled
# Restart network adapter or reboot
Problem: Large DNS responses get fragmented, but IPv6 path MTU discovery fails or fragments are blocked.
Diagnosis:
# Check if large DNS responses fail
dig +bufsize=4096 AAAA example.com
# Test path MTU to DNS server
tracepath6 2001:4860:4860::8888
Solution:
Follow this systematic approach when diagnosing IPv6 DNS failures:
# Test connectivity to a known IPv6 address
ping6 2001:4860:4860::8888
# Or use online test
# Visit: https://test-ipv6.run
If ping fails: You have a broader IPv6 connectivity issue. DNS failures are a symptom, not the root cause. Check your IPv6 routing and ISP connectivity.
# Test AAAA query over IPv4 transport
dig -4 AAAA google.com
# Test AAAA query over IPv6 transport
dig -6 AAAA google.com @2001:4860:4860::8888
If -4 works but -6 fails: Your DNS resolver is reachable over IPv4 but not IPv6. Check firewall rules and routing.
If both fail: The problem is with the AAAA record itself or the authoritative DNS server.
# Google Public DNS
dig AAAA google.com @2001:4860:4860::8888
# Cloudflare DNS
dig AAAA google.com @2606:4700:4700::1111
# Quad9 DNS
dig AAAA google.com @2620:fe::fe
If external resolvers work: Your configured DNS server has issues. Change your DNS settings.
If external resolvers fail too: Network-level blocking (firewall, ISP) or routing issues.
# Linux
sudo ip6tables -L -v -n | grep -i "53"
# Windows (PowerShell as admin)
Get-NetFirewallRule | Where-Object {$_.DisplayName -like "*DNS*"}
Ensure both UDP and TCP port 53 are allowed for both outbound and inbound IPv6 traffic.
# Check what's in resolv.conf
cat /etc/resolv.conf
# Verify DNS server is reachable
ping6 <dns-server-ipv6-address>
# Test query with verbose output
dig +trace +dnssec AAAA example.com
# Query with DNSSEC
dig +dnssec AAAA example.com
# Query without DNSSEC (checking disabled)
dig +cd AAAA example.com
If +cd works but +dnssec fails: DNSSEC validation issue. Check resolver configuration or switch resolvers.
# Linux: Use tcpdump to capture DNS traffic
sudo tcpdump -i any -n port 53 and ip6
# Watch for timeout patterns and error responses
DNS Flag Day 2025 introduces stricter requirements for IPv6 DNS behavior:
Action: Ensure your DNS servers and resolvers are updated to comply with DNS Flag Day 2025 standards.
Some DNS servers and middleboxes exhibit "common misbehavior" against AAAA queries:
Diagnosis:
# Compare behavior of different record types
dig A example.com @suspect-dns-server
dig AAAA example.com @suspect-dns-server
dig MX example.com @suspect-dns-server
Solution: Avoid problematic DNS servers and report the issue to the operator.
IPv6 reverse DNS uses the ip6.arpa zone and can fail independently:
# Test reverse lookup
dig -x 2001:4860:4860::8888
# Manual PTR query
dig PTR 8.8.8.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.8.4.1.0.0.2.ip6.arpa
PTR failures typically don't affect forward resolution but can cause issues with email servers and some security checks.
IPv6 DNS troubleshooting requires a methodical approach:
Most IPv6 DNS failures fall into one of these categories:
By following this guide and using the diagnostic commands provided, you should be able to identify and resolve most IPv6 DNS issues. If problems persist after exhausting these steps, the issue likely lies with your ISP's IPv6 implementation or requires professional network engineering assistance.