We were troubleshooting DNS for a customer who has the domains hosted over at DNS Exit over the last couple of days and couldn’t seem to nail down why we here at Rollernet couldn’t resolve their DNS reliably, if at all. After much extended testing, we eventually tested from a site that was IPv4 only and discovered this:
;; ADDITIONAL SECTION: ns1.dnsexit.com. 28800 IN A 220.127.116.11 ns1.dnsexit.com. 28800 IN AAAA ::1 ns2.dnsexit.com. 59400 IN A 18.104.22.168 ns2.dnsexit.com. 59400 IN AAAA ::1 ns3.dnsexit.com. 57600 IN A 22.214.171.124 ns3.dnsexit.com. 57600 IN AAAA ::1 ns4.dnsexit.com. 57600 IN A 126.96.36.199 ns4.dnsexit.com. 57600 IN AAAA ::1
There’s the problem: delegations to the IPv6 loopback address. This is not something we would ever expect to see. It can, in fact, be damaging because an IPv6 resolver may try to query itself (localhost). As such, we are strongly recommending to all of our customers (plus anyone in general who is interested in working with IPv6 or may use an IPv6 network) to stay clear of DNS Exit at this time.
We try not to recommend one provider over another, but in this instance the localhost AAAA delegations are too egregious of an error to ignore. As far as we are aware only DNS Exit does this, so any of their competitors should be a suitable replacement.