Linux: Block IPv6 for certain applications / hostnames

Hauke Laging asked:

Problem and aim

We don’t get IPv6 from our ISP thus I have an IPv6 tunnel which works fine but is, of course, not very fast. And not really reliable. I like to have IPv6 available “just in case” but I want certain hosts (domains) to be connected with IPv4 only.

Default protocol

It seems to me that all applications try IPv6 first; this is probably a glibc setting. I would be fine if this default would be reversed (for all applications).


It would be possible to block IPv6 addresses / networks with Netfilter but there are two problems:

  1. Would this cause a delay as the app waits for a IPv6 timeout before it tries IPv4?
  2. Some domains seem to be mixed that it looks like chaos. Separating and seems like something you don’t want to do if you can avoid it.

I just note that the man page for ip route says for the routing type unreachable:

The local senders get an EHOSTUNREACH error.

Does the same happen with Netfilter DROPs or REJECTs? Such an error should not cause a relevant delay.

DNS filtering

Another solution (rather easy one if that is possible) would be to filter AAAA records for certain domains. If that is not (easily) possible: Is it possible to connect the DNS server and Netfilter so that I know “IP address X belongs to domain Y” so that I can add it to Netfilter? Anything more elegant than logging everything and grepping the log?

The way to go?

Which (other) possibilities are there and what is the easiest?

My answer:

OK, here’s a completely different answer.

Place the offending hosts with crappy IPv6 connectivity in /etc/hosts with their corresponding IPv4 address.

For example:

Remember to remove them when their (in this case) or your IPv6 connectivity improves.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.