Different 'ping6' reverse lookup behavior using ipv4 vs ipv6 dns servers in /etc/resolv.conf

Question

I'm hoping someone could help shed some light on the different behavior ping6 is demonstrating on a GNU/Linux box.

The machine is a Linode host which has been assigned both an IPv4 and IPv6 address. It is running in a dual-stack configuration. The Linode people have provided two IPv4 resolvers, and two IPv6 resolvers. (for this question I will only use one of each type).

When I configure my /etc/resolv.conf file to use an IPv4 resolver;

# /etc/resolv.conf
nameserver 72.14.179.5

ping6 performs a reverse-lookup for every echo reply, and displays the address accordingly. (This is what I expect.)

$ ping6 -c 6 google.com
PING google.com(dfw06s33-in-x05.1e100.net) 56 data bytes
64 bytes from dfw06s33-in-x05.1e100.net: icmp_seq=1 ttl=49 time=34.7 ms
64 bytes from dfw06s33-in-x05.1e100.net: icmp_seq=2 ttl=49 time=34.7 ms
64 bytes from dfw06s33-in-x05.1e100.net: icmp_seq=3 ttl=49 time=34.7 ms
64 bytes from dfw06s33-in-x05.1e100.net: icmp_seq=4 ttl=49 time=34.7 ms
64 bytes from dfw06s33-in-x05.1e100.net: icmp_seq=5 ttl=49 time=34.7 ms
64 bytes from dfw06s33-in-x05.1e100.net: icmp_seq=6 ttl=49 time=34.7 ms

If I run tcpdump, as I run the ping6 command, I can see the 1 forward lookup, and 6 reverse lookups as expected.

$ sudo tcpdump -n -i eth0 udp port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
21:00:23.128883 IP 23.239.30.203.37353 > 72.14.179.5.53: 18114+ AAAA? google.com. (28)
21:00:23.129194 IP 72.14.179.5.53 > 23.239.30.203.37353: 18114 1/0/0 AAAA 2607:f8b0:4000:805::1003 (56)
21:00:23.129380 IP 23.239.30.203.58841 > 72.14.179.5.53: 32482+ PTR? 3.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.5.0.8.0.0.0.0.4.0.b.8.f.7.0.6.2.ip6.arpa. (90)
21:00:23.129661 IP 72.14.179.5.53 > 23.239.30.203.58841: 32482 1/0/0 PTR dfw06s33-in-x03.1e100.net. (129)
21:00:23.164677 IP 23.239.30.203.47867 > 72.14.179.5.53: 30527+ PTR? 3.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.5.0.8.0.0.0.0.4.0.b.8.f.7.0.6.2.ip6.arpa. (90)
21:00:23.165086 IP 72.14.179.5.53 > 23.239.30.203.47867: 30527 1/0/0 PTR dfw06s33-in-x03.1e100.net. (129)
21:00:24.166410 IP 23.239.30.203.55723 > 72.14.179.5.53: 37565+ PTR? 3.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.5.0.8.0.0.0.0.4.0.b.8.f.7.0.6.2.ip6.arpa. (90)
21:00:24.167221 IP 72.14.179.5.53 > 23.239.30.203.55723: 37565 1/0/0 PTR dfw06s33-in-x03.1e100.net. (129)
21:00:25.166735 IP 23.239.30.203.52095 > 72.14.179.5.53: 15353+ PTR? 3.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.5.0.8.0.0.0.0.4.0.b.8.f.7.0.6.2.ip6.arpa. (90)
21:00:25.167138 IP 72.14.179.5.53 > 23.239.30.203.52095: 15353 1/0/0 PTR dfw06s33-in-x03.1e100.net. (129)
21:00:26.167883 IP 23.239.30.203.60999 > 72.14.179.5.53: 48567+ PTR? 3.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.5.0.8.0.0.0.0.4.0.b.8.f.7.0.6.2.ip6.arpa. (90)
21:00:26.168327 IP 72.14.179.5.53 > 23.239.30.203.60999: 48567 1/0/0 PTR dfw06s33-in-x03.1e100.net. (129)
21:00:27.169385 IP 23.239.30.203.33681 > 72.14.179.5.53: 42354+ PTR? 3.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.5.0.8.0.0.0.0.4.0.b.8.f.7.0.6.2.ip6.arpa. (90)
21:00:27.169847 IP 72.14.179.5.53 > 23.239.30.203.33681: 42354 1/0/0 PTR dfw06s33-in-x03.1e100.net. (129)
21:00:28.170818 IP 23.239.30.203.36738 > 72.14.179.5.53: 15194+ PTR? 3.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.5.0.8.0.0.0.0.4.0.b.8.f.7.0.6.2.ip6.arpa. (90)
21:00:28.171221 IP 72.14.179.5.53 > 23.239.30.203.36738: 15194 1/0/0 PTR dfw06s33-in-x03.1e100.net. (129)

However, if I configure /etc/resolv.conf to use an IPv6 resolver;

# /etc/resolv.conf
nameserver 2600:3c00::3

ping6 performs a reverse-lookup for every other echo request. (I'm confused)

$ ping6 -c 6 google.com
PING google.com(2607:f8b0:4000:803::1000) 56 data bytes
64 bytes from dfw06s27-in-x00.1e100.net: icmp_seq=1 ttl=49 time=33.1 ms
64 bytes from 2607:f8b0:4000:803::1000: icmp_seq=2 ttl=49 time=33.2 ms
64 bytes from dfw06s27-in-x00.1e100.net: icmp_seq=3 ttl=49 time=33.2 ms
64 bytes from 2607:f8b0:4000:803::1000: icmp_seq=4 ttl=49 time=33.2 ms
64 bytes from dfw06s27-in-x00.1e100.net: icmp_seq=5 ttl=49 time=33.1 ms
64 bytes from 2607:f8b0:4000:803::1000: icmp_seq=6 ttl=49 time=33.2 ms

I confirm this by looking at tcpdump output as I run ping6. I see the one forward lookup, but only 3 reverse lookups.

$ sudo tcpdump -n -i eth0 udp port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
21:10:12.163444 IP6 2600:3c00::f03c:91ff:fe73:ee8f.35982 > 2600:3c00::3.53: 47249+ AAAA? google.com. (28)
21:10:12.164457 IP6 2600:3c00::3.53 > 2600:3c00::f03c:91ff:fe73:ee8f.35982: 47249 1/0/0 AAAA 2607:f8b0:4000:803::1000 (56)
21:10:12.198491 IP6 2600:3c00::f03c:91ff:fe73:ee8f.37631 > 2600:3c00::3.53: 18439+ PTR? 0.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.3.0.8.0.0.0.0.4.0.b.8.f.7.0.6.2.ip6.arpa. (90)
21:10:12.207233 IP6 2600:3c00::3.53 > 2600:3c00::f03c:91ff:fe73:ee8f.37631: 18439 1/0/0 PTR dfw06s27-in-x00.1e100.net. (129)
21:10:14.201780 IP6 2600:3c00::f03c:91ff:fe73:ee8f.55836 > 2600:3c00::3.53: 9503+ PTR? 0.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.3.0.8.0.0.0.0.4.0.b.8.f.7.0.6.2.ip6.arpa. (90)
21:10:14.202272 IP6 2600:3c00::3.53 > 2600:3c00::f03c:91ff:fe73:ee8f.55836: 9503 1/0/0 PTR dfw06s27-in-x00.1e100.net. (129)
21:10:16.204599 IP6 2600:3c00::f03c:91ff:fe73:ee8f.46736 > 2600:3c00::3.53: 38520+ PTR? 0.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.3.0.8.0.0.0.0.4.0.b.8.f.7.0.6.2.ip6.arpa. (90)
21:10:16.205006 IP6 2600:3c00::3.53 > 2600:3c00::f03c:91ff:fe73:ee8f.46736: 38520 1/0/0 PTR dfw06s27-in-x00.1e100.net. (129)

Any insight, is greatly appreciated.

Answer 1

Both ping's and ping6's code use one shared function char * pr_addr(void *sa, socklen_t salen) from ping.c to format hostname (address) substring in output. pr_addr calls getnameinfo(), which is a typical library function, provided by OS. So there is no difference in lookup behaviour