iptables: Overview and Practical Use

The telnet command is a great and handy Linux network service communication utility. From remote server and system port scans, to debugging network connections, telnet offers easy text-based interaction with a remote host. In this step by step guide, you can see how to install, configure, and utilize telnet in Linux. We shall also discuss its various options and features so that you can have a complete idea. What is Telnet? telnet, or "Telecommunication Network," is a remote network protocol on another computer over the Transmission Control Protocol (TCP). telnet provides the ability to directly specify the remote host on a particular port so that commands may be sent and output directly read in real time. telnet is employed primarily for: Testing Open Ports: Determine if a server has an open port. Accessing Services: Get direct access to the web, e-mail, or other networked services. Troubleshooting Network Issues: Fix network connectivity issues or port not available issues. Installing Telnet on Linux telnet is not pre-installed on most modern Linux distributions. Installation depends on your system type. For Ubuntu/Debian-Based Systems An Ubuntu or any Debian-based Linux user can install telnet with the apt package manager: sudo apt install telnet For Red Hat/CentOS-Based Systems telnet can be installed on RedHat, CentOS, or Fedora by using the yum or dnf package managers: sudo yum install telnet For newer versions: sudo dnf install telnet Understanding the Telnet Command Syntax The telnet command syntax is simple: telnet [hostname/IP] [port] Where: [hostname/IP]: Specifies the hostname or IP address of the remote host. [port]: Specifies the port number you want to connect to. It can be omitted, and the default port (23) is used.  telnet establishes one direct connection to services on specific ports, like HTTP (port 80), SMTP (port 25), or FTP (port 21). Different Options Available for the Telnet Command The telnet command is highly customizable, offering several options that enhance its usability and functionality. Option Description -4 Forces telnet to use IPv4 only when establishing a connection. -6 Forces telnet to use IPv6 only when connecting. -8 Allows transfer of 8-bit data via telnet. -E Disables the telnet escape character operation, disallowing escape sequences during the session. -K Prevents telnet from automatically passing credentials (e.g., a Kerberos ticket) to the remote host. -L Enables the loopback mode so that telnet can connect to the same host. -X atype Specifies the authentication type (i.e., KERBEROS_V4) to be used during the telnet session. -a Automatically fills in the user's login name attempting to log onto the remote system. -d Enables debugging mode, providing detailed information about the connection process and communication. -e char Alters the escape character for telnet. -l user Specifies the username for the login attempt. -n tracefile Writes session activity to a specified trace file for debugging or logging. -b addr  Defines a local interface or address for telnet to use when connecting. -r Creates a reverse telnet connection. Using Telnet: Practical Applications telnet provides diagnostic and testing capabilities for networks. Some of these include: Test Open Ports telnet is often used to verify if a specified port of a server is open. To verify port 80, enter the following command: telnet example.com 80 If the port is open, telnet will connect, and you might have a blank screen expecting input. This is a good indication that the port is listening and expecting to chat. If the port is firewalled or closed, you would get an error message such as "Connection refused." Interact with SMTP Servers telnet can debug email servers by sending raw SMTP commands. To open an SMTP server on port 25: telnet mail.example.com 587 Once connected, you can directly type SMTP commands such as HELO, MAIL FROM, and RCPT TO to communicate with the server. For example: Send HTTP Requests telnet enables manual HTTP requests to debug web servers. For example: telnet example.com 80 After connecting, type: GET / HTTP/1.1 Host: example.com Press Enter twice to send the request, and the server's response will appear. Connect Using IPv4 If the server supports both IPv4 and IPv6, you can force the connection to use IPv4: telnet -4 example.com 80 This ensures compatibility with IPv4-only networks. Debugging a MySQL Server telnet can connect to a MySQL database server to check if the port is open (default port 3306). telnet database.example.com 3306 Replace database.example.com with the MySQL server address.  If the connection is successful, telnet will display a protocol-specific greeting message from the MySQL server. Security Considerations When Using Telnet Although telnet is a handy utility, it is fundamentally unsafe since it sends the data, including passwords, in cleartext. Consequently: Don't Use Telnet Over Unsecure Networks: Utilize a secure, private network whenever possible. Use Alternatives: Use SSH (Secure Shell) for encrypted communication. Restrict Access: Turn off telnet on your servers if you do not use it. By understanding these risks, you can take precautions to secure your systems. Exploring Advanced Telnet Use Cases telnet’s utility extends to a variety of specialized scenarios: Monitoring Services: Use telnet to interactively query protocols like IMAP or POP3 to diagnose emails. IoT Device Management: telnet can be utilized as an immediate interface to communicate with IoT devices that utilize text-based communication protocols. Educational Use: It is an excellent learning tool for studying network protocols and server responses. Troubleshooting Common Telnet Issues Despite its simplicity, telnet may run into issues such as: Connection Refused: This would usually be so if the target port is firewalled or closed. Time-Out Errors: These could reflect network delay or routing issues. Permission Denied: Check appropriate user privilege and port availability. Regularly checking server configurations and network settings can help resolve these issues. Exploring Telnet Alternatives If telnet's lack of encryption is a security risk to your system, there are several alternatives that offer comparable functionality with added security and features: SSH (Secure Shell): SSH is the most common telnet substitute, providing secured communication, tunneling, and strong authentication. Use the ssh command to securely connect to remote servers. Netcat (nc): Netcat is a full-featured networking debugging tool, port scanner, and connection tester. It can handle both TCP and UDP. OpenSSL S_client: OpenSSL can be utilized to test SSL/TLS protocols securely on particular ports. Conclusion telnet in Linux is a simple and convenient network diagnostics and debugging tool. As long as you understand its security limitation and have sufficient configurations, telnet remains a convenient debugging tool, test tool, and communications tool for network services. From this guide, you have a working configuration that strikes a balance between convenience and responsible caution. Get the best out of your Linux experience and control your systems securely and efficiently remotely.

Opening ports in Linux is an important task that allows certain services or applications to exchange data over the network. Ports act as communication gateways, allowing access to authorized services while blocking unauthorized connections. Managing ports is key to secure access, smooth app functionality, and reliable performance. Understanding Ports and Their Purpose Ports are the logical endpoints of network communication, where devices can send and receive information. HTTP uses port 80, HTTPS uses port 443, and SSH uses port 22. An open port means the service that listens for incoming network traffic is associated with it. A closed port, on the other hand, stops communication via that gateway. Maintaining availability and security requires proper management of Linux open ports. Check Existing Open Ports on Linux Before opening a port, check the open ports in Linux to see which ones are currently active. You may achieve this using several Linux commands. netstat To display open ports, run: netstat -tuln The netstat utility provides a real-time view of active network connections, displaying all listening endpoints. The -tuln flags refine the output to show only TCP and UDP ports without resolving hostnames. Note: In case netstat isn’t installed, install it via: sudo apt install net-tools ss The ss utility can also be utilized to check ports: ss -tuln Compared to netstat, the ss command is more recent and fast. It shows the ports that are in use as well as socket information. nmap For a detailed analysis of Linux open ports, use: nmap localhost The nmap utility scans the given host (localhost in this case) for open ports. This is useful for finding ports exposed to public networks. Note: You can install nmap on Linux via: sudo apt install nmap Opening Ports on Linux Firewall modification is required to grant access through a chosen endpoint. Linux provides several options for handling these tasks, including iptables, ufw, and firewalld. Here are the methods to open ports with these utilities. Method 1: Via iptables Iptables is a robust and lower level firewall utility that grants fine-grained control over network traffic. To open a port with iptables, take these steps: Add a Rule to Allow Traffic from a Specific Port  Enable HTTP access on port 8080 with this command: sudo iptables -A INPUT -p tcp --dport 8080 -j ACCEPT sudo: Execute the command as superuser. iptables: Refers to the firewall utility. -A INPUT: Inserts a rule in the input chain, controlling incoming traffic. -p tcp: Shows that the rule is for TCP traffic. --dport 8080: Points to port 8080 for the rule. ACCEPT: Specifies that incoming traffic matching the rule is accepted. This permits incoming TCP on port 8080. However, iptables changes are volatile and will be undone after reboot. Note: The iptables can be installed with persistent packages using: sudo apt install iptables iptables-persistent Save the Configuration For making the rule permanent and remain even after a system restart, store iptables rules via: sudo netfilter-persistent save This directive preserves current iptables or nftables rules such that they are preserved during reboots. Reload Changes Reload the firewall configuration as needed with: sudo netfilter-persistent reload Method 2: Via UFW Ufw (Uncomplicated Firewall) is a minimal front-end for managing iptables rules. It allows you to easily open ports with simple commands. This is how you can do it: Enable Ufw  First, ensure the ufw firewall is activated: sudo ufw enable Executing this command allows UFW to modify firewall settings. Note: UFW can be installed with: sudo apt install ufw Allow Traffic Via Specific Port  For instance, to open port 22 for SSH, use: sudo ufw allow 22/tcp sudo: Grants superuser privileges. ufw allow: Adds a rule to permit traffic. 22/tcp: Sets port 22 for communication while restricting the rule to TCP protocol. This permits access on port 22, enabling remote SSH connections. Verify the Firewall Status  To ensure the port is accessible and the rule is active, execute: sudo ufw status The status command displays all active rules, including the allowed ports. Method 3: Via Firewalld Firewalld is a dynamic firewall daemon present on Linux. It is simpler to customize the firewall rules compared to using iptables. Here’s how to enable port access via firewalld: Add a Permanent Rule for the Desired Port  To enable HTTPS access on port 443, run: sudo firewall-cmd --permanent --add-port=443/tcp firewall-cmd: Invokes the firewalld command. --permanent: Ensures the rule stays active after the firewall reloads or the system boots. --add-port=443/tcp: Opens port 443 to accept incoming TCP traffic. Note: Install firewalld on Linux via: sudo apt install firewalld Once installed, you should activate and run it: sudo systemctl enable firewalld sudo systemctl start firewalld Reload the Firewall  Finalize the settings to enable the newly defined policy: sudo firewall-cmd --reload Applying firewall modifications makes recent policy updates functional without rebooting. Verification Check whether the port is opened successfully: sudo firewall-cmd --list-all The --list-all command provides a complete list of rules, helping you determine if port 443 is open. Testing the Newly Opened Port Always check if the newly opened port is available for incoming connections. Here’s how: Using telnet Test the port opening via: telnet localhost port_number Successful access means the port is open and responsive. Using nmap Analyze the host to verify if the specified endpoint is accessible.: nmap -p port_number localhost The -p flag specifies the port to scan. Using curl Check HTTP service availability: curl localhost:port_number A successful response confirms the service is running on the opened port. Troubleshooting Common Issues Ports opening may occasionally fail due to configuration errors or conflicting software settings. Follow these tips: Verify Firewall Rules: Run iptables -L or ufw status to assess firewall restrictions and permissions. Check Service Status: Check if the assigned service is active with systemctl status <service-name>. Opening Specific Ports Based on Protocol Understanding the protocol used by the service can help configure ports more effectively. For instance, web traffic typically uses TCP (Transmission Control Protocol) for stable communication, while certain gaming services may require UDP (User Datagram Protocol) for faster packet transmission. Opening a TCP Port To access port 3306 for MySQL traffic: sudo ufw allow 3306/tcp This explicitly permits TCP traffic through port 3306, ensuring stable communication for database queries. Opening a UDP Port To access port 161 for SNMP (Simple Network Management Protocol), run: sudo ufw allow 161/udp UDP provides faster, connectionless communication, ideal for monitoring tools like SNMP. Managing Port Accessibility Once a port is opened, controlling its visibility ensures security and prevents unauthorized access. Restricting Access to Specific IPs To limit port access to a specific IP address (e.g., 192.168.1.100): sudo ufw allow from 192.168.1.100 to any port 22 This allows SSH access via port 22 only from the specified IP address, enhancing security. Closing Ports To revoke access to port 80: sudo ufw deny 80/tcp This denies incoming traffic on port 80, effectively closing it for HTTP services. Conclusion Confirming open ports in Linux is a key step for optimizing network functionality and deploying services effectively. With the use of utilities such as iptables, ufw, or firewalld, you can control traffic securely for your apps. You need to test and debug in order to confirm the port is open and working as expected. From web servers to SSH access, to other network services, port management skills ensure smooth operations and better security.

The internet is gradually transitioning to IPv6, and an increasing number of websites, applications, and devices are adopting it. But having an IPv6 address alone isn’t enough. To make everything work properly, you need to configure DNS correctly—both on the server side and on your own computer. Without DNS, no connection will work: the browser simply won’t know where to send the request. This is especially critical for IPv6. If you forget to set the necessary DNS records, your site will become invisible to many users, and even content that used to open just fine may stop working on client devices. How to Check if Your ISP Supports IPv6 This guide is relevant only if your internet provider supports IPv6. Linux-based OS Run the following command: ip -6 addr show If you see interface addresses starting with 2xxx: or 3xxx:, then your provider supports IPv6. macOS Use the command: ifconfig If your ISP assigns an IPv6 address, it will look something like this: Windows Open Command Prompt by pressing Win + R, then type cmd. Enter the following command: ipconfig You should see output like this: What Is DNS for IPv6, and Why Is It Important? DNS is like the internet’s address book. When a user types a website address, the browser doesn’t know where to go—it needs an IP address. DNS translates human-readable addresses into a numeric IP address that devices and networks can use. You need to configure DNS for IPv6 in two places: 1. On the Server (where your website or service is hosted) This enables browsers to find your site via IPv6. If your domain’s DNS zone doesn’t contain an AAAA record with the server’s IPv6 address, browsers won’t even know that they can use the new protocol to access your site. As a result, the site may load slowly or not at all for users with IPv6-only access. 2. On the Client Side (your computer or router) Your computer also needs to know which DNS server to use in order to resolve site addresses into IPv6 format. If your computer or router doesn’t have access to a DNS server that supports IPv6, it won’t open the site, even if your ISP supports IPv6. You need to set up DNS for IPv6 so that the internet continues working quickly, reliably, and without interruptions under the new protocol. Without proper configuration, IPv6 might be available—but not functional. The Best Public IPv6 DNS Servers To ensure stable and fast performance, your device must know which DNS server to query. Usually, the router handles this: it receives the settings from your ISP and distributes them to the network. But if your ISP doesn’t support IPv6 or their DNS is unstable, you can manually specify public DNS servers that support IPv6. These are free, reliable addresses accessible from anywhere in the world: Name Primary IPv6 DNS Address Secondary IPv6 DNS Address Google DNS 2001:4860:4860::8888 2001:4860:4860::8844 Cloudflare 2606:4700:4700::1111 2606:4700:4700::1001 Quad9 2620:fe::fe 2620:fe::9 OpenDNS 2620:119:35::35 2620:119:53::53 All of these services: support IPv6 without additional setup, respond quickly to queries worldwide, protect against fake and malicious sites (especially Quad9 and OpenDNS). When Should You Set DNS Manually? Follow the instructions below if any of the following apply: Your device does not automatically receive DNS server settings. Your ISP does not support IPv6 at the DNS level. Websites load slowly or return “address not found” errors. The next sections explain how to manually configure DNS servers. It only takes a few minutes and results in a stable, error-free internet connection. Configuring DNS IPv6 on Windows If you have internet access but websites won’t load, Windows might not know which DNS server to use for IPv6. You can fix this easily by setting the correct addresses manually. This method works for both Windows 10 and 11—the interface is nearly identical. Open Network Connections: Press Win + R, type ncpa.cpl, and hit Enter. A window with all connections (Ethernet, Wi-Fi, etc.) will open. Find your active connection. It’s usually called “Local Area Connection” or “Wireless Network”.  Right-click on it → select Properties. Choose Internet Protocol Version 6 (TCP/IPv6). In the list of components, find this line and click the Properties button. Enter the DNS servers manually: Check Use the following DNS server addresses. Type in: Preferred: 2001:4860:4860::8888 Alternate: 2001:4860:4860::8844 Save your settings. Click OK → OK, then close the window. Windows will now use the specified DNS servers for IPv6 connections. Configuring IPv6 DNS in Linux DNS configuration in Linux depends on the edition you're using (desktop or server) and the network management tool used (NetworkManager, systemd-networkd, or manual configuration). To ensure everything works correctly with IPv6, you need to determine who is responsible for the network and DNS in your system and then choose the appropriate configuration method. How to Find Out What Your Distribution Uses Open a terminal and run: nmcli device If the command returns a list of interfaces and their statuses, you’re using NetworkManager. If nmcli is not installed, try: networkctl If you see interfaces with the status routable, configured,  you're using systemd-networkd. Ubuntu Desktop, Fedora, Manjaro — Using NetworkManager If you use a graphical environment (GNOME, KDE, Xfce) and see a network icon in the panel — most likely you're using NetworkManager. Via GUI: Go to Settings → Network → Select active connection → IPv6 In the DNS section: Switch the mode to “Manual” or “Advanced” Enter DNS addresses, e.g.: 2001:4860:4860::8888 and 2001:4860:4860::8844 Save and restart the connection Via terminal: nmcli connection modify eth0 ipv6.dns "2001:4860:4860::8888 2001:4860:4860::8844" nmcli connection modify eth0 ipv6.ignore-auto-dns yes nmcli connection up eth0 Replace eth0 with your actual interface name (check it by running nmcli device). Ubuntu Server (18.04+, 20.04+, 22.04+) — Using Netplan On Ubuntu server editions, netplan is used to generate configuration for systemd-networkd. Open the configuration file, for example: sudo nano /etc/netplan/01-netcfg.yaml Add IPv6 addresses in the nameservers section. Be sure to strictly follow YAML formatting — use spaces only, no tabs. Usually, indentations are multiples of 4 spaces. In the addresses field, insert the IPv6 address with /64. In the gateway6 field, insert the gateway — drop the last group of your IPv6 address and replace it with 1 to get the gateway address.  network: version: 2 ethernets: eth0: dhcp4: true dhcp4-overrides: use-dns: false dhcp6: false addresses: - 2001:0db8:a::0370/64 gateway6: 2001:0db8:a::1       match: macaddress: <insert your machine’s MAC address> nameservers: addresses: - 2001:4860:4860::8888 - 2001:4860:4860::8844 Apply the changes: sudo netplan apply After applying the changes, verify that the correct DNS servers are in use. If the DNS Servers field displays incorrect servers, they are likely being automatically delivered via DHCP. Disable this as follows: Ensure correct permissions on the YAML file: sudo chmod 600 /etc/netplan/01-netcfg.yaml Delete the old resolv.conf and create a symlink: sudo rm -f /etc/resolv.conf sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf If you get the error “Unable to resolve host”, add the hostname to /etc/hosts: HOSTNAME=$(hostname) sudo sed -i "/127.0.1.1/d" /etc/hosts echo "127.0.1.1 $HOSTNAME" | sudo tee -a /etc/hosts Enable systemd-resolved (if it’s not already): sudo systemctl enable systemd-resolved --now Apply configuration and restart services: sudo netplan apply sudo systemctl restart systemd-networkd sudo systemctl restart systemd-resolved Recheck the result: resolvectl status resolvectl dns At this point, DHCP-based DNS should be fully disabled. Modern Systems with systemd-resolved If your system uses systemd-resolved directly (e.g., Arch Linux, or Ubuntu with systemd), you can define DNS via the config file. Open the configuration file: sudo nano /etc/systemd/resolved.conf Add the following lines: [Resolve] DNS=2001:4860:4860::8888 2001:4860:4860::8844 FallbackDNS=2606:4700:4700::1111 Restart the service: sudo systemctl restart systemd-resolved Manual Configuration via resolv.conf — If Nothing Else Works Sometimes, it's easiest to make changes directly in /etc/resolv.conf, especially in minimal systems or containers. Open the file: sudo nano /etc/resolv.conf Add the lines: nameserver 2001:4860:4860::8888 nameserver 2001:4860:4860::8844 Keep in mind that the system often overwrites this file. To preserve settings: sudo chattr +i /etc/resolv.conf Configuring IPv6 DNS on a Router If you've already configured IPv6 DNS on your server and PC, but the site still won't open via the new protocol, check your router settings. The router distributes the internet and tells devices where to send DNS queries. If no IPv6-enabled DNS servers are set on the router, your home devices may still use the old protocol — even if the ISP has switched to IPv6. Where to Find IPv6 DNS Settings It depends on the model, but the typical path is: Router settings → Internet / WAN → IPv6 → DNS. If there is a separate DNS tab, go to it. Some models hide these parameters in Advanced sections. Example: TP-Link Router Go to the router’s interface: 192.168.0.1 or tplinkwifi.net Enter your login and password Go to Advanced → IPv6 Enable IPv6 — it’s usually off by default In WAN connection settings, check Configure the DNS server manually Enter your selected IPv6 DNS addresses, e.g.: 2001:4860:4860::8888 2001:4860:4860::8844 Save changes and reboot the router Example: Keenetic Router Go to my.keenetic.net From the menu, select Internet → Connection Go to the DNS Servers tab Check Manual Enter IPv6 addresses (e.g., Google DNS) Apply changes and reboot the router What to Do If DNS Doesn’t Accept IPv6 Check whether your router supports IPv6 (not all older models do). Make sure your ISP has assigned a global IPv6 address (and not just fe80::). Try updating your router’s firmware — this often resolves the issue. How to Test DNS over IPv6 Testing DNS over IPv6 is easy — both in a browser and via the terminal. It takes just a few minutes and quickly helps identify where the problem is: in the DNS, the network, or IPv6 itself. In the Browser The simplest method is to open a testing site: test-ipv6.com The page will show: Whether there is an IPv6 connection. Which protocol is used by default (IPv4 or IPv6). Whether DNS over IPv6 is working. Whether popular websites have AAAA records. If everything is green, it’s working fine. If there’s an error, the site will tell you what the issue is. In the Terminal (Linux, macOS) Check the AAAA DNS record: dig AAAA google.com If the response includes an IPv6 address (e.g., 2a00:1450:4009::200e), then DNS over IPv6 is working. Check which DNS servers are being used: resolvectl status This shows active interfaces and DNS servers (including IPv6 ones). Check whether traffic goes through IPv6: ping6 google.com Or: curl -6 https://ifconfig.co If the command executes and shows an IPv6 address, then IPv6 connectivity is active. Solving Common Issues Below is a cheat sheet for resolving problems frequently encountered when configuring IPv6 DNS: Symptom Problem Solution Websites open, but slowly. ping6 works, but ping is faster. The browser tries IPv6 first, then falls back to IPv4. The DNS server responds too slowly. Often, the ISP's default DNS is the culprit. Switch to a fast public DNS server. See "Configuring IPv6 DNS in Windows" or "Configuring IPv6 DNS in Linux". ping6 google.com → “Name or service not known” The DNS client is not receiving IPv6 responses: either the server addresses are incorrect or IPv6 is disabled on the interface. Check if IPv6 is active using ip -6 addr. Make sure resolvectl status shows an IPv6 DNS server. If not, set one manually (see Windows or Linux setup guides). Internet stops working after netplan apply. There’s a syntax error in the YAML file or the gateway is missing. Check the file using netplan try. If there’s an error, roll back and reapply the changes carefully. Watch for typos and fix indentation — use two spaces per level. No active connections in Ubuntu GUI. Netplan uses systemd-networkd, while the GUI expects NetworkManager. Either edit Netplan for a server setup, or install NetworkManager and change renderer: NetworkManager in the config file. nslookup -type=AAAA site.com in Windows shows “Non-existent domain”. The router does not have IPv6 DNS set, or its firmware does not support the protocol. Log in to the router's admin panel → “IPv6” → “DNS” → enter Cloudflare or Google DNS. Update firmware if the “IPv6” section is completely missing. Docker container ignores IPv6 DNS. Docker daemon uses its own resolv.conf copied at startup. Add the DNS address to /etc/docker/daemon.json, or pass it when launching the container: docker run --dns 2606:4700:4700::1111 alpine systemd-resolved continuously caches a SERVFAIL error. An upstream DNS server failed; the failed response is cached. Clear the cache and change DNS: sudo resolvectl flush-caches sudo systemd-resolve --set-dns=2001:4860:4860::8888 --interface=eth0 A site with HSTS loads via HTTPS only over IPv4. The certificate has only an A record; there's no AAAA record — the browser doesn’t trust it. Issue a certificate that validates both IP versions. For Let’s Encrypt:   sudo certbot --preferred-challenges http -d site.com -d '*.site.com' ping6 to a local host is OK, but gives “Network unreachable” to the internet. The ISP assigned a prefix but no gateway (gateway6 is not set). Manually add a gateway: gateway6: 2a03:6f01:1:2::1 Apply the changes: sudo netplan apply IPv6 address is present, but DNS queries go to 192.168.0.1.  The router distributes IPv4 DNS via DHCPv6 Option 23; the system gives them higher priority. Manually set IPv6 DNS with the highest priority: sudo resolvectl dns-priority eth0 0 dig @2606:4700:4700::1111 google.com works, but dig google.com doesn't. systemd-resolved listens on 127.0.0.53, but a local firewall blocks outbound DNS packets. Allow outbound traffic on port 53 (UDP and TCP) or disable UFW: sudo ufw allow out 53 Compare your symptom with the first column and check the brief diagnosis in the second column. Execute the command(s) in the third column and verify the result. If the issue isn’t resolved, return to the DNS setup steps. Conclusion The transition to IPv6 is slow, but inevitable. More and more ISPs are issuing only IPv6 addresses, more hosting providers are operating with Dual Stack, and more services are checking for IPv6 support by default. And if DNS is misconfigured, connections fail, websites won’t load, and users will leave for services that work. The good news? It all takes 5–10 minutes: Add an AAAA record in your hosting panel; Set reliable public DNS servers on your server, router, and client devices; Check the result — and forget about the issue. IPv6 is not about the future — it’s about ensuring your website, service, or home network works reliably right now. And a properly configured DNS is your ticket into this new Internet.