Skip to content

No IPv6 fallback for domain resolution #6301

New issue
New issue
Open
Open
No IPv6 fallback for domain resolution#6301
Labels
bugSomething isn't working
@fabiopicchi

Description

@fabiopicchi
fabiopicchi
opened on Sep 18, 2025

Prerequisites

Vaultwarden Support String

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.34.3
  • Web-vault version: v2025.7.0
  • OS/Arch: linux/x86_64
  • Running within a container: true (Base: Debian)
  • Database type: SQLite
  • Database version: 3.50.2
  • Uses config.json: false
  • Uses a reverse proxy: true
  • IP Header check: true (X-Real-IP)
  • Internet access: false
  • Internet access via a proxy: false
  • DNS Check: true
  • TZ environment: Europe/Helsinki
  • Browser/Server Time Check: true
  • Server/NTP Time Check: n/a
  • Domain Configuration Check: false
  • HTTPS Check: false
  • Websocket Check: false
  • HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "****://*********",
  "domain_origin": "****://*********",
  "domain_path": "",
  "domain_set": false,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": false,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": "/data/bitwarden.log",
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": null,
  "smtp_password": null,
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.34.3

Deployment method

Official Container Image

Custom deployment method

Hi! I am using Vaultwarden for quite some time now and I recently moved it to an IPv6-only VPC from Hetzner to cut costs.

However, it seems that icon downloads stop working altogether. From what I could debug, the issue seems to be related to reqwest (or, at a lower level, hickory). Even though it can solve the domain name, it defaults to the IPv4 address with no fallback to IPv6.

Ideally, this configuration should be exposed in Vaultwarden.

Reverse Proxy

nginx 1.29.1

Host/Server Operating System

Linux

Operating System Version

Ubuntu 22.04.3 LTS

Clients

Web Vault

Client Version

v2025.7.0

Steps To Reproduce

  1. Spin up Vaultwarden in a machine without IPv4 interfaces
  2. Try to download icons
  3. Fail

Expected Result

Icons are downloaded through their IPv6 addresses.

Actual Result

An attempt is made to download it through IPv4, it times out, and no icon is downloaded.

Logs

[2025-09-18 16:44:50.282][request][INFO] GET /icons/secure.backblaze.com/icon.png
[2025-09-18 16:44:50.302][reqwest::connect][DEBUG] starting new connection: https://secure.backblaze.com/
[2025-09-18 16:44:50.306][hickory_proto::xfer::dns_handle][DEBUG] querying: secure.backblaze.com. A
[2025-09-18 16:44:50.310][hickory_resolver::name_server::name_server_pool][DEBUG] sending request: [Query { name: Name("secure.backblaze.com."), query_type: A, query_class: IN }]
[2025-09-18 16:44:50.313][hickory_resolver::name_server::name_server][DEBUG] reconnecting: NameServerConfig { socket_addr: 127.0.0.11:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: false, bind_addr: None }
[2025-09-18 16:44:50.316][hickory_proto::xfer][DEBUG] enqueueing message:QUERY:[Query { name: Name("secure.backblaze.com."), query_type: A, query_class: IN }]
[2025-09-18 16:44:50.318][hickory_proto::udp::udp_client_stream][DEBUG] final message: ; header 37119:QUERY:RD:NoError:QUERY:0/0/0
; query
;; secure.backblaze.com. IN A

[2025-09-18 16:44:50.322][hickory_proto::udp::udp_stream][DEBUG] created socket successfully
[2025-09-18 16:44:50.330][hickory_proto::udp::udp_client_stream][DEBUG] received message id: 37119
[2025-09-18 16:44:50.332][hickory_proto::error][DEBUG] response: ; header 37119:RESPONSE:RD,RA:NoError:QUERY:2/0/0
; query
;; secure.backblaze.com. IN A
; answers 2
secure.backblaze.com. 300 IN A 104.17.5.3
secure.backblaze.com. 300 IN A 104.17.6.3
; nameservers 0
; additionals 0

[2025-09-18 16:44:50.339][hickory_proto::error][DEBUG] response: ; header 37119:RESPONSE:RD,RA:NoError:QUERY:2/0/0
; query
;; secure.backblaze.com. IN A
; answers 2
secure.backblaze.com. 300 IN A 104.17.5.3
secure.backblaze.com. 300 IN A 104.17.6.3
; nameservers 0
; additionals 0

[2025-09-18 16:44:50.343][hyper_util::client::legacy::connect::http][DEBUG] connecting to 104.17.5.3:443
[2025-09-18 16:44:50.346][reqwest::connect][DEBUG] starting new connection: http://secure.backblaze.com/
[2025-09-18 16:44:50.347][hyper_util::client::legacy::connect::http][DEBUG] connecting to 104.17.5.3:80
[2025-09-18 16:44:50.348][vaultwarden::api::icons][DEBUG] [get_icon_url]: Trying without subdomains 'backblaze.com'
[2025-09-18 16:44:50.350][reqwest::connect][DEBUG] starting new connection: https://backblaze.com/
[2025-09-18 16:44:50.351][hickory_proto::xfer::dns_handle][DEBUG] querying: backblaze.com. A
[2025-09-18 16:44:50.351][hickory_resolver::name_server::name_server_pool][DEBUG] sending request: [Query { name: Name("backblaze.com."), query_type: A, query_class: IN }]
[2025-09-18 16:44:50.353][hickory_resolver::name_server::name_server][DEBUG] existing connection: NameServerConfig { socket_addr: 127.0.0.11:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: false, bind_addr: None }
[2025-09-18 16:44:50.354][hickory_proto::xfer][DEBUG] enqueueing message:QUERY:[Query { name: Name("backblaze.com."), query_type: A, query_class: IN }]
[2025-09-18 16:44:50.354][hickory_proto::udp::udp_client_stream][DEBUG] final message: ; header 43983:QUERY:RD:NoError:QUERY:0/0/0
; query
;; backblaze.com. IN A

[2025-09-18 16:44:50.357][hickory_proto::udp::udp_stream][DEBUG] created socket successfully
[2025-09-18 16:44:50.365][hickory_proto::udp::udp_client_stream][DEBUG] received message id: 43983
[2025-09-18 16:44:50.365][hickory_proto::error][DEBUG] response: ; header 43983:RESPONSE:RD,RA:NoError:QUERY:2/0/0
; query
;; backblaze.com. IN A
; answers 2
backblaze.com. 300 IN A 104.17.6.3
backblaze.com. 300 IN A 104.17.5.3
; nameservers 0
; additionals 0

[2025-09-18 16:44:50.367][hickory_proto::error][DEBUG] response: ; header 43983:RESPONSE:RD,RA:NoError:QUERY:2/0/0
; query
;; backblaze.com. IN A
; answers 2
backblaze.com. 300 IN A 104.17.6.3
backblaze.com. 300 IN A 104.17.5.3
; nameservers 0
; additionals 0

[2025-09-18 16:44:50.371][hyper_util::client::legacy::connect::http][DEBUG] connecting to 104.17.6.3:443
[2025-09-18 16:44:53.410][reqwest::connect][DEBUG] starting new connection: http://backblaze.com/
[2025-09-18 16:44:53.410][hyper_util::client::legacy::connect::http][DEBUG] connecting to 104.17.6.3:80
[2025-09-18 16:44:56.450][reqwest::connect][DEBUG] starting new connection: https://secure.backblaze.com/
[2025-09-18 16:44:56.450][hyper_util::client::legacy::connect::http][DEBUG] connecting to 104.17.5.3:443
[2025-09-18 16:44:59.490][vaultwarden::api::icons][WARN] Unable to download icon: Req.
[CAUSE] reqwest::Error {
    kind: Request,
    url: "https://secure.backblaze.com/favicon.ico",
    source: hyper_util::client::legacy::Error(
        Connect,
        ConnectError(
            "tcp connect error",
            104.17.5.3:443,
            Os {
                code: 101,
                kind: NetworkUnreachable,
                message: "Network is unreachable",
            },
        ),
    ),
}
[2025-09-18 16:44:59.495][response][INFO] (icon_internal) GET /icons/<domain>/icon.png => 200 OK

Screenshots or Videos

No response

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions