DNS trigger for AAAA detection on IPv4 networks



Current versions of desktop, and server operating systems are usually IPv6 aware. In some cases the OS will make assumptions on what types of data are available in your DNS infrastructure. These assumptions can introduce delays, and cause issues in other systems the rely upon rapid and high quality DNS hits. To that end I created the trigger below to address when a client is configured to attempt sending a AAAA (IPv6) DNS request once it receives an error on IPv4. If your DNS server is not configured to serve out the proper NXDOMAIN requests this will introduce a lag of about 2-4s as the client waits for a timeout on the request. Even with NXDOMAIN this is extraneous traffic that should be cleared up if it is not valid for the environment.

I hope the trigger below proves useful to some of you:

 * Trigger: DNS IPV6 after Error
 * Description: This trigger will detect when a DNS request has failed and 
 * is subsequently followed by an AAAA request.  This is a sign that
 * the client is configured to attempt IPv6 DNS queries on failure, which 
 * may cause a noticable performance decrease in a non-IPv6 environment.

if (DNS.error !== null) {
    Flow.store.DNSerror = DNS.qname;
} else if (Flow.store.DNSerror !== undefined && DNS.qtype === "AAAA") {
    var request = Flow.store.DNSerror;
    debug("got answer: " + request + " : " + DNS.qtype);
    Network.metricAddCount("dns-ipv6-on-error", 1);
    Network.metricAddDetailCount("dns-ipv6-on-error_detail", Flow.client.ipaddr + " : " + request, 1);


I think there might be a lighter way to go about this.

The above trigger uses the Flow.store which is typically used in passing information between the Request side of and event and the corresponding Response side.

 * Trigger: DNS IPV6 Error Detail
 * Description: Detect when an IPv6 DNS request has failed and 
 * provide more detail about the DNS request.

if (DNS.error !== null) {
    // had a DNS error, was it in response to an IPv6 (AAAA) lookup ?
    if (DNS.qtype === "AAAA") {
        // store a network metric and a detailed network metric
        // we may want to dashboard the detailed network metric
        Network.metricAddCount("dns-ipv6-on-error", 1);
        var query = DNS.qname || "no query";     // shouldn't happen, handle in case
            "Client:" + Flow.client.ipaddr + " - Request:" + query, 

This trigger should be lighter on the system in several ways:

  • does not use the Flow.store
  • defines fewer variables
  • does not write to the debug log