Hacker News new | past | comments | ask | show | jobs | submit login

Setting a website to be available over IPv6 is relatively easy, yet we see:

    ;; QUESTION SECTION:
    ;news.ycombinator.com.  IN AAAA
Why? Because it's not quite as simple as making Apache respond over IPv6; any website of any size has various protections in place to prevent DDoS, spam, etc, and those tools are almost universally basic and at the root is the "ban by IPv4 address". Without that tooling supporting IPv6, it remains a side note not worth supporting.

Solutions? You can make an IPv6 version available that is read-only; or requires you to login via an IPv4-only gateway first (and protect that) and then ban by username as necessary.

And outbound? You have to IPv4 NAT which maybe Hetzner offers? If not there are things like https://nat64.net




> Why? Because it's not quite as simple as making Apache respond over IPv6; any website of any size has various protections in place to prevent DDoS, spam, etc, and those tools are almost universally basic and at the root is the "ban by IPv4 address". Without that tooling supporting IPv6, it remains a side note not worth supporting.

The consensus I've seen is to treat IPv6 /56s or /48s (depending on preferred strictness) as an IPv4 address. From there, it's quite simple to port the security mechanisms.

Of course the chicken/egg problem comes back, because many of these "solutions" don't support IPv6 because nobody asked them to support IPv6 because they don't use IPv6 because their solutions don't support IPv6.

As for HN, good question. Adding a simple line to your DNS server or hosts file to make HN resolve on IPv6 is enough to get it to work.

Edit: emailed dang, it's on the roadmap!


Actually HN is available via IPv6 over Cloudflare. You have to add a CF IPv6 it to the hosts file.

In fact I am posting this comment over IPv6.


> You have to add a CF IPv6 it to the hosts file.

That's worse, yeah? You do see how that's worse?


The fact anyone should think this is somehow acceptable state of art is obscene to me.


> hosts file

1986 wants a word.


I actually run a separate DNS proxy that does it automatically for me. (HN and lot of other sites)

I only mentioned hosts file because it is the easiest way to spoof the domain.


That's still the same thing: you're manually adding a mapping where you shouldn't have to. HN should just publish the AAAA RRs and be done.


Your comment has no useful information.


Put this in your /etc/hosts file and it should work (I don't know if it does as I don't have ipv6)

2a06:98c1:3120::5 news.ycombinator.com


Can confirm, works like a charm!


Which is not useful information in this discussion.


Ok, but please don't respond to a bad comment (or one you feel is bad) by posting bad comments yourself. That only makes everything worse.

A better way to counter comments that don't contain useful information would be to add some useful information; or perhaps to post a question explaining what information is missing and asking for it.

https://news.ycombinator.com/newsguidelines.html




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: