Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Broken DNS AAAA lookups

J | Last updated: Jul 21, 2021 07:22AM UTC

Burpsuite 2021.6.2 on MacOS does not make AAAA DNS lookups, and subsequently does not try to connect to IPv6 addresses of sites. This causes total failure if the site is IPv6-only, eg https://www.v6.facebook.com, https://ipv6.google.com, https://loopsofzen.uk/ etc, or if you're using an IPv6-only connection with NAT64/DNS64 (eg many mobile operators). If the target site is dual stack, it causes all traffic to occur over legacy IPv4, whereas non-burp traffic direct from the browser occurs over IPv6 as expected.

Michelle, PortSwigger Agent | Last updated: Jul 22, 2021 09:56AM UTC

Thanks for your message. We've been trying to replicate your issue here. I'm afraid we've not been able to replicate it, f we use a connection that supports IPv6 we have been able to connect to the sites you mentioned both directly and when proxying via Burp on MacOS. Are you able to maybe try using a different internet connection?

J | Last updated: Jul 23, 2021 05:10AM UTC

I'm using an IPv6-only connection with NAT64 (many mobile operators work this way), and it seems burp will only use IPv6 for IPv6-only sites... For dual stack sites, it defaults to legacy IP even when IPv6 AAAA records are present and never tries IPv6 at all, thus it will fail. This shows up in the "IP" column of the proxy history. DNS64 synthesizes AAAA records when only legacy A records exist, and the behavior of modern operating systems is to prefer AAAA when available so traffic to legacy sites gets routed through the NAT64 gateway and native traffic goes directly. This behavior also occurs when using a SOCKS proxy, unless the "perform dns lookups through proxy" option is enabled. The common behavior of all modern browsers is to try IPv6 first if available, and then fail over to legacy IP if an IPv6 connection fails. I'm not sure why IPv6-only sites were failing totally through burp before...

Michelle, PortSwigger Agent | Last updated: Jul 23, 2021 09:21AM UTC

Can I just double-check that you're not seeing any issues connecting to the IPv6 example sites you mentioned previously now? Is it just the dual stack sites where you see a problem now? If it is, are you able to share an example of one of the sites you're connecting to?

J | Last updated: Jul 26, 2021 01:48AM UTC

The IPv6-only sites weren't working before but are working now... I can't explain what was happening there. The dual stack sites are now seeing problems because Burp defaults to IPv4, whereas the browsers and everything else always default to IPv6.

Michelle, PortSwigger Agent | Last updated: Jul 26, 2021 09:27AM UTC

Thanks for confirming that. Can you try launching Burp with the following option and let us know if this helps in your scenario, please? -Djava.net.preferIPv4Stack=false Please let us know if you have any questions.

J | Last updated: Jul 27, 2021 03:19AM UTC

Adding that option makes no difference, it's still preferring legacy ip and failing under NAT64.

Michelle, PortSwigger Agent | Last updated: Jul 27, 2021 09:23AM UTC

Thanks for doing that test. We've been discussing this with the developers and have found the cause of the issue. I've linked this thread to the internal case so we can let you know when there is an update.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.