AAAA records blocked on all registrars. Destination unreachable: Administratively prohibited. ISP denies involvement

I have just noticed that this is the case on my other server as well.

So no matter which registrar and DNS server I have, Yunohost,,, it doesn’t work.

I am being told on Freenode:##networking that the problem lies within “the firewall”.
Is this Yunohost’s firewall?

[Me@MyComputer ~]$ traceroute -6 mydomain.tld
mydomain.tld: Name or service not known
Cannot handle "host" cmdline arg `mydomain.tld' on position 1 (argc 2)

You can disable the yunohost firewall and fail2ban and check that, I guess.By the way what’s the app which you installed before this happened ?

By the way what’s the app which you installed before this happened ?

Unknown. This could always have been the case.
I tested if the domain was accessible and whether the IPv6 address was accessible, not whether the domain led to an IPv6 address.


Even with the yunohost firewall and fail2ban off it doesn’t work.


I called the ISP again and they denied yet again that it was something on their end.

The only thing that’s left that could be the culprit is my modem, which has been acting weirdly for the longest time, so I’m going to replace that thing.
I’m 70% sure myself and my modem are the culprit as I understood port sharing as port forwarding and couldn’t understand why ipv6 was in there so I never opened that up.

Why I could then access ipv6 I don’t know. But I’m going to replace the router and see what happens.

[update #2]

I have the new router and still experience the same problem.

[update #3]

It turned out to be faulty IPv6 interface ID’s, which I had to adjust manually.
It looks like this was my problem all along causing the ping error "Destination unreachable: Administratively prohibited"
My modem automatically took the ipv6 link addresses instead of the global ones.

[update #4]

Okay. Looks like this problem is only temporarily solved, because at some point the addresses are renewed again, replacing the correct values back with the automatically generated faulty ones.
It looks like those addresses are automatically generated by something called resolvconf.
In the thread below someone has the same problem.