IPv6 benefits?
bikegremlin
ModeratorOGContent Writer
Hosting provider I'm with has enabled the use of IPv6.
I'm using Cloudflare DNS - if that's relevant.
Is there any benefit of adding the appropriate IPv6 (AAAA) DNS records?
Are there any potential complications involved with that?
EDIT:
IPv4 is also still provided with the hosting provider - to avoid any misunderstanding.
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews
Comments
The benefit is that it didn’t run out ;-).
And sure, go for it, activate :-)!
Clouvider Limited - VPS in 6 datacenters - Intel Xeon/AMD Epyc with NVMe and 10G uplink! | Dedicated Servers
Edited the original post - for now IPv4 is still also supported with the provider. So it's not a forced move.
If there are no (potential) downsides, it's a go.
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews
For bandwidth-intensive applications, several networks (especially academic networks) offer unlimited IPv6 throughput. It's generally considered standard practice to offer IPv6 storage repositories for transferring data within the academic community (developed nations). Other transit providers, such as HE.net do not charge for IPv6 transit.
For security through obscurity purposes, there are significantly fewer port and vulnerability scanners on IPv6 services, such as SSH. If you're getting DDoSed, odds are your server is still accessible by IPv6 because the hosting provider will only null-route the IPv4, allowing you to serve the website, FTP, SSH, etc. via IPv6. If you're hiding behind Cloudflare, this means your website would still work over IPv6, even if your website doesn't have a working IPv4 address. Furthermore, most script kiddies don't know how to DDoS IPv6 services and most software allowing for DDoS aren't written with IPv6 DDoS in mind, stopping attacks from stupid people. There are fewer IPv6 supporting vulnerable DNS and NTP servers that can support a DNS reflection attack too, so any attack on IPv6 addresses would probably be smaller, by a significant magnitude.
By adopting IPv6, you help spur further adoption, encouraging other ISPs to offer IPv6 to their customers. Making your low-end site IPv6 accessible might be a tiny part of the equation, but it adds up in world-wide service scans that create statistics enabling a business-case for IPv6. It's also futureproofing. Furthermore, each website can get its own IPv6 address.
Yes, for the moment I'm using Cloudflare as both DNS and a proxy.
However, server connection to Cloudflare's servers is done over IPv4 (because I've only used A records, not AAAA).
Do you suggest it's better to keep both A and include AAAA, or get rid of A records all together (or is it irrelevant if using Cloudflare as a proxy)?
Same question for websites no using Cloudflare proxy - use both IPv4 and IPv6, or get rid of IPv4 all together?
I suppose it's best to keep IPv4 as well for the time being, but suppose it doesn't hurt to ask - being far from an expert.
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews
If you use IPv6 at home, you don't need to use NAT - each device gets its own IP address. Similarly, on VPSes it's very useful if you have multiple Docker or LXC containers as each one can get its own public IP. That's assuming your provider gives you a routed subnet rather than just one address - any provider that knows what they're doing should be including a routed /64 subnet with every VPS.
SLAAC means IPv6 addresses can be autoconfigured without having to use DHCP.
Daniel15 | https://d.sb/. List of all my VPSes: https://d.sb/servers
dnstools.ws - DNS lookups, pings, and traceroutes from 30 locations worldwide.
Personally I'd get rid of the A record all-together and only use the AAAA record. However, the issue with that is if your server doesn't have good connectivity to a Cloudflare PoP, you would degrade service quality. However, this is exceptionally rare. Once the traffic hits Cloudflare PoP, it's not a big deal since they can serve the content over IPv4 and IPv6 from their own enhanced network.
Adding onto my previous points, the awesome part of IPv6 is each website you run can get its own IPv6 Interface, so set separate IPv6 AAAA records for each site with a unique IPv6 address.
Didn't note that, sorry, my bad: I'm using shared (reseller) hosting, not a VPS.
If that makes any difference regarding this topic.
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews
Just let cloudflare handle everything, cloudflare would have given you a sort of virtual ipv6 address. If site visitors can only access ipv6, cloudflare would proxy the request for them and allow them to browse your site with ipv6. Shared hosting with a panel is meant to be simple and hassle-free. Don't overthink too much when you're dealing with shared hosting.
Recently my home ISP had an issue that only affected IPv4 - I could still SSH/access all my servers as they have IPv6. Browsing IPv6 still worked, but v4 was down for about an hour.
I realise that's an unusual case, but I'm counting it as a benefit
You have to think about the consumer ISP side of things as well though. Some ISPs are v6 only, relying on mechanisms such as 464XLAT and/or CG-NAT to provide IPv4 connectivity. Leveraging native IPv6 means you get to skip having to go through the NAT appliance, potentially improving performance for the end user (albeit very marginally).
HE's throughput is pretty bad and their IX ports are congested at times mind you. So IPv4 might actually be much faster.
SkylonHost.com High Bandwidth European Cloud KVM | AS202297
If you can just enable it, of course otherwise not really a benefit.
Free NAT KVM | Free NAT LXC | Bobr
ITS WEDNESDAY MY DUDES
For all I know, Cloudflare already has it enabled for visitor connection to their servers.
Connection from CF servers to hosting server is IPv4 for now.
To enable IPv6 connection from hosting to CF servers, I'd (only) need to add matching AAAA records.
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews
I rather do not enable v6 when native is not available then use cloudflare, for reasons.
Free NAT KVM | Free NAT LXC | Bobr
ITS WEDNESDAY MY DUDES
Native is (now) enabled by the hosting provider.
Using Cloudflare for other reasons, not for IPv6 connectivity. But it apparently handles that as well.
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews
When I need to cache content, I just use BunnyCDN, which has privacy friendly options and I know who runs and owns it.
And I see no direct point, to hide your webserver IP, it even breaks TLS at cloudflare and inspects all the data which also breaks the hole concept of TLS.
Free NAT KVM | Free NAT LXC | Bobr
ITS WEDNESDAY MY DUDES
Depends on the use case. For my use, the free option provided by CF does more good than harm.
Or, looking at it from another angle: in the whole mass surveillance banquet, it doesn't make any difference whether a small website from Serbia is also monitored.
Same goes for using Google AMP.
EDIT: did check out the BunnyCDN. Looks fine - for an ecommerce site for example, it would surely be a good option.
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews
There is a difference between metadata and reading all of its contents.
So no.
Free NAT KVM | Free NAT LXC | Bobr
ITS WEDNESDAY MY DUDES
Not sure I follow.
How would I get any problems, or how would Cloudflare get any benefits from reading my website data?
It is all publicly published anyway.
Passwords used are unique for the website. It would be suicidal for their business plan to abuse those.
Emails?
Didn't get any spam so far, after now about 2 years of using the service, so guess emails aren't sold in that way, not yet.
What should I be weary about?
For all I know, unlike Google, CF's business plan is based on upsales, not on selling customer data.
Also, if using any sort of social network, mobile phone and paying with a card - that should provide more than enough meta data for anyone interested. While being very hard to avoid using these days.
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews
https://www.reddit.com/r/privacy/comments/41cb4k/be_careful_with_cloudflare/
It does not matter what kind of website you are running, just run it without cloudflare, I see no point using it.
Free NAT KVM | Free NAT LXC | Bobr
ITS WEDNESDAY MY DUDES
I am aware the data is decrypted on their servers, then re-encrypted on.
My websites work perfectly fine with TOR browser - no captchas. Suppose this goes when you enable "I'm under attack" mode.
I have set it all up so that I can switch back to using CF as a DNS only, or even completely switch from it to another (free) DNS service (Hurricane Electric is my first pick - are there any problems with that one?).
But so far, I'm yet to experience any downsides of CF, at least for my use case.
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews
There was a discussion on LET about HE, that some results got manipulated, so I would not recommend using them.
I mostly use own dns servers, besides Rage4, which is Paid, maybe try:
https://freedns.afraid.org/
https://zilore.com/en
These days you can spend 15$/y and get 2 KVM's put NSD on that and you are set.
Free NAT KVM | Free NAT LXC | Bobr
ITS WEDNESDAY MY DUDES
In which way would HE manipulate the DNS?
(can’t find the thread on the other side)
It was a while back, the issue was that HE responded to not existing entries on their public DNS servers basically with their own.
What some ISP's do, if you are using the default DNS servers, they simply should not do that.
If a subdomain or domain does not exist, it should not result in a response.
People talked about this on LET, but I cannot find it now.
Free NAT KVM | Free NAT LXC | Bobr
ITS WEDNESDAY MY DUDES
Test samples are important. When I find a problem, I (most often, unless it's really minor and I won't bother) write down how to reproduce it and confirm. That usually helps with troubleshooting.
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews
I have a domain hosted on HE's dns, and it reply correctly with Non-existent domain
I think we'll be all dead when ipv6 goes fully mainstream.
Like in more than 25-50 years or so.
Anyhow, @bikegremlin you remind me of bandits phoenix rising (Бандиты Безумный Маркс).
Of which i am unable to find the Linux port and wine does a terrible, horrible ~0.3fps job in this particular case, can't get past the menu, which itself is at such low fps.
I found only a screenshot of the Linux game loader... So it existed, at least as a beta of some sort.
I read about it, that's all, if you want test samples, then lookout for the original thread.
Free NAT KVM | Free NAT LXC | Bobr
ITS WEDNESDAY MY DUDES
Don't understand the second paragraph.
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews
The cog in your avatar reminds me of a game.
Basically, it's all shit (posting) and the universe is my a canvas.
And if, something good ever comes out of it, i'll be happy.
It will be funny in the olden days, when dementia and smells set in.
Besides, what's the point of liberty if one can't live it, freely?
Everything is interlieved now, man can't even find a decent caggabe.
It's all spliced and interpolated together.
In the words of the great thinker, @deank, "The end is, approximately, five to twelve."
So, it's the little things... but, does it even matter?
I use IPv6 to serve SSH and Wireguard. This way my IPv4 only has HTTP. Very comfy