Does Norton VPN hate IPv6 and DNS Encryption Certificates?

I just wanted to ask the “the Community” if Norton VPN (which uses Amazon servers for the most part) hates to use IPv6 and DNS Encryption Authentication? Almost every time I connect to a Norton VPN Server, regardless of location, IPv6 is not even being used, and their DNS does not use all the Encryption Certificates that almost every other VPN uses. Why is this? Not a very good “security standard” for a “Cyber Security” company.

I know IPv6 has a known vulnerability and leaks. That might be why Norton VPN has decided not to use it. But if that is the case, then couldn’t they at least add a configuration option in the settings for their customers to configure themselves?
I.e. only IPv4 or IPv6, or both?

Attached here are some screen shots to show what’s going on.

Denver Server:

Sydney Server:

Zaventem Server:

Sao Paulo Server:

Vienna Server:

And lastly, below is an example of a third party DNS server being enabled through the network settings of my device. The picture below shows that IPv6 will work if you use a different DNS provider. And so will the various Encryption Authentication Certificates.

Vienna Server with Third Party DNS:

I’ve read through some of the other IPv6 post’s here, and I noticed I’m not the only one who noticed this problem, and has a problem with IPv6 not being enabled on Norton’s VPN service.

So, will Norton ever fix this problem?
Or is this lack of security and service to be expected for the foreseeable future from Norton VPN?

I know IPv6 has a known vulnerability and leaks. That might be why Norton VPN has decided not to use it. But if that is the case, then couldn’t they at least add a configuration option in the settings for their customers to configure themselves?
I.e. only IPv4 or IPv6, or both?

Someone really has to try to find the leak before it’s found in IPv6. And every month, more and more devices require IPv6, because IPv4 is running out of IP address.

As far as the Norton DNS Encryption Authentication Certificates not being utilized by Norton VPN, why is that?

This all sounds above my pay grade. I’ll see if I can get some eyes on it for you.

1 Like

Hello Vader. That’s a ton of information you posted there so we can try to digest it a bit, first off. Norton DOES support IPv6 as shown in the below article. In the older forums where, it will take forever to dig up the threads and posts, we entertained this exact issue quite some time ago. Gurus such as myself, peterweb, bjm and others spent a boatload of time working with it.

Having worked this IPv6 issue before we determined that using the Norton VPN, no matter what server is used or its location, IPv6 leaks WITH IPv6 enabled on personal routers and ISP provided devices. Our suggestion then, as it would be now is disable IPv6 on those two specific devices, IF, your ISP doesn’t require them for services to function. I have IPv6 disable on my FIOS and personal TP-Link devices having had zero issues with leaked using only IPv4. Running security audits on my network provided information that showed the Norton VPN no longer was leaking. Other forums for other products also recommend disabling IPv6 on their products as well due to the nature of leaking in IPv6. IPv6 isn’t released as a “standard” to use it requires an extra measure of maintenance on the part of the entity using it. That equates to High Costs, High Maintenance. That doesn’t mean companies aren’t moving toward and using it nevertheless

https://www.ipxo.com/blog/common-ipv6-issues/

In most cases, the example of leakage comes when, your ISP is using both protocols and you are connecting to some website or service which supports only IPv4. This is where IPv6 leaks may happen - the requests you are sending to that website or service will contain both your IPv4 and IPv6 IP addresses. Using only IPv4 on your devices corrects that issue. Developers have to fix the leaks issues therefore there isn’t anything we can do from the consumer side.

From where I sit ( I am not an engineer nor developer for Norton ) this may be the reason for certificates in Norton remaining expired: Costs!! It also makes sense that using an OV SSL certificate in the VPN pipeline would be prudent.

Organization Validation certificates (OV SSL)

****Getting an OV SSL is easier than applying for an EV SSL. For a certificate authority to issue an OV SSL, they perform only a basic review of an entity. They check that the organization or business exists and that the entity applying for the certificate owns the domain name.

The most common uses for OV SSLs are for sites that need security but aren’t public-facing. For example, an OV SSL would be a good fit for a company that needs secure login pages for internal systems or as security for intranets.

The introduction of Surfshark into Norton VPN may be an attempt to correct the IPv6 issues at some point. Surfshark doesn’t support IPv6 for the reasons here:

So, when I boiled everything down to the “why” VPN issues are present with AWS ( which Norton and other vendors use ) it became this simple as shown below:

From the AWS article: The following rules apply:

  • IPv6 addresses are only supported for the inside IP addresses of the VPN tunnels. The outside tunnel IP addresses for the AWS endpoints are IPv4 addresses, and the public IP address of your customer gateway must be an IPv4 address.
  • Site-to-Site VPN connections on a virtual private gateway do not support IPv6.
  • You cannot enable IPv6 support for an existing Site-to-Site VPN connection.
  • A Site-to-Site VPN connection cannot support both IPv4 and IPv6 traffic.

IPv4 and IPv6 traffic - AWS Site-to-Site VPN.

From my perspective the certificate issues are coupled with its need and AWS restrictions with how its pipeline services are offered and can be configured. Hope I am not out of bounds and this helps in some manner.

SA

2 Likes

Thank you, and no, that was a good response. A VPN renting servers from AWS (Amazon) isn’t a good privacy and security move for any VPN company. For the lack of configuration options and the lack of IPv6 support. Nord VPN and Express VPN offer IPv6 support and they don’t rent servers from Amazon. I’m curious why did you bring up surfshark?

The OV SSL with Norton, needs improvement. Everyone uses it.

I’ve also noticed some weird connection problems with Norton, that go away when I just switch to a different VPN. Phone notifications start again (for an example).

Thank you for the good response.

Your welcome. I try to be thorough as I can be without confusing while doing so. Regarding Surfshark, that was a typo on my part unfortunately. I should have said WireGuard and its cross-platform usage. Norton Secure VPN using the ultra-secure IPsec and WireGuard protocols, and the OpenVPN protocol on Android were my references to the previous integrations. Here are some of the protocols Norton has written about:

SA

Following up with the thread to see if there are other questions you may have and whether we can assist further. If not please mark the thread as solved if you are satisfied that it indeed is, just mark the appropriate reply as the solution. I’m sure others will benefit seeing that solution when they search for an answer to the same or similar issue.

SA

It does. Hopefully this post will help others when they notice the same problems with Norton VPN. I’ll see if can figure out how to mark a reply as a solution.

Again, Thank you for the response.

1 Like