IPv6 inbound works, but Plex does not publish AAAA record → remote IPv6 access fails

Plex Media Server Remote Access
1

Server Version#: v1.42.2.10156
Player Version#:v1.110.0

I’m troubleshooting IPv6 remote access for my Plex Media Server running on macOS behind pfSense.

Here is what I’ve confirmed:

  1. My server has a valid, globally routable IPv6 address assigned via my ISP.
  2. My pfSense WAN firewall rule correctly allows inbound IPv6 traffic to port 32400 (no NAT used).
  3. From a device on cellular, I can directly reach PMS via IPv6 using a request like:

curl -v http://[my-server’s-global-IPv6]:32400

This returns 401 Unauthorized, meaning IPv6 transport to PMS works correctly end-to-end.

The problem

Plex never publishes an AAAA record for my plex.direct hostname.

When querying the AAAA record for my server’s plex.direct domain, the DNS response always contains:
• No AAAA answers
• Only an SOA entry from ns-plexdirect.plex.tv

As a result:
• The Plex Web App cannot load my server via IPv6
• The Plex Mobile App cannot connect using IPv6
• Browsers treat the IPv6-based plex.direct URL as a search term
• Remote Access never shows “Fully Accessible” when IPv6 is the only transport path

Despite IPv6 working perfectly at the network level, Plex does not seem to expose an IPv6 access path.

My Questions

  1. Is Plex supposed to publish AAAA records for plex.direct hostnames?
  2. If not, does Plex officially support IPv6-only remote access?
  3. Is there a recommended method to enable discovery/remote access via IPv6?
  4. Should I avoid configuring IPv6 in the “Custom server access URLs” field?

I’d like to understand whether this is a configuration issue or simply unsupported behavior, since IPv6 routing itself is confirmed working.

Thanks for any guidance.

2

Navigate to this address in your browser (for Safari, you need to have developer options enabled):

https://plex.tv/api/resources?includeIPv6=1&includeHttps=1&X-Plex-Token=your_plex_token

You can find your token using the information here:
https://support.plex.tv/articles/204059436-finding-an-authentication-token-x-plex-token/#toc-0

In the XML output, find your server and see if your IPv6 connection information is published.

Yes. And it does when correctly configured.

Not with the new experience apps. Historically, only the bespoke Apple clients support IPv6, as far as I know. If you have access to the Apple clients’ version 8.45 or earlier, then you may be in luck.

You’ll need to wait for client support.

Probably not, at this point as it’s not support by most (any?) current clients.

3

@pshanew Thanks — I verified my configuration and inbound IPv6 works, but Plex’s authoritative DNS still does not publish a AAAA record for my plex.direct hostname.

dig against both pfSense (Unbound) and Google DNS returns:
• NOERROR
• No AAAA record
• Only SOA in authority

Since the responses from public DNS and local DNS match, this indicates Plex’s own DNS servers are not publishing the AAAA record.

Inbound IPv6 connectivity is confirmed via direct curl to the server’s global IPv6 address (returns 401). The server also reports IPv6 connections properly in /api/resources.

Given that, it appears to be on the Plex side rather than a local configuration issue, so I will open a support ticket asking Plex Engineering to check AAAA publication for my server token.

4

@elan

5

@trumpy81 @dlandon

6

Interesting. I don’t see the same. For example, if I run the following in my Mac’s terminal, I see a valid answer:
dig @1.1.1.1 my-dash-separated-ipv6-address.my_certificate_uuid.plex.direct -6 AAAA

;; ANSWER SECTION:
my-dash-separated-ipv6-address.my_certificate_uuid.plex.direct. 2592000 IN AAAA my:public:ipv6:address

What do you see if you run similar (including the -6 AAAA in your command line?

(I just showed the CloudFlare result above, but I tested against Google DNS as well and it also resolved to my public IPv6. And also my local AdGuard Home DNS.)

I’ll reiterate though that no modern (i.e. new experience, which are replacing the legacy clients) Plex clients currently support IPv6 connectivity.

7

I ran the same test against Cloudflare and Google:

dig @1.1.1.1 -6 AAAA my-dash-separated-ipv6-address.my_certificate_uuid.plex.direct

and also,

dig @8.8.8.8 -6 AAAA my-dash-separated-ipv6-address.my_certificate_uuid.plex.direct

Both return NOERROR with ANSWER: 0 (only an SOA, no AAAA), so it looks like Plex’s authoritative DNS simply isn’t publishing an AAAA for my server yet.


; <<>> DiG 9.10.6 <<>> @1.1.1.1 my-dash-separated-ipv6-address.my_certificate_uuid.plex.direct -6 AAAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28584
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;my-dash-separated-ipv6-address.my_certificate_uuid.plex.direct. IN AAAA

;; AUTHORITY SECTION:
my-dash-separated-ipv6-address.my_certificate_uuid.plex.direct. 300 IN SOA ns-plexdirect.plex.tv. dns-admin.plex.tv. 0 172800 7200 1209600 3600

;; Query time: 249 msec
;; SERVER: ::ffff:1.1.1.1#53(1.1.1.1)
;; WHEN: Sat Dec 06 12:32:35 CST 2025
;; MSG SIZE  rcvd: 165

My /api/resources?includeIPv6=1&includeHttps=1 entry shows:

<Device ... dnsRebindingProtection="1" ...>
  <Connection protocol="https" address="2601:…:89f5" port="32400" local="0" />
  ...
</Device>

on pfSense I’ve:

server:
  private-domain: "plex.direct"

and confirmed DNS-rebind checks for plex.direct are disabled.

Is there any condition (e.g. dnsRebindingProtection=“1” or some other check) that would cause Plex not to publish AAAA even though the IPv6 connection appears in /api/resources and inbound IPv6 to the server works?

@ChuckPa If any Plex staff happen to see this, is there a way to verify on your side why AAAA isn’t being published for this server? :grinning_face:

8

Plex doesn’t publish “AAAA” records to public DNS providers.

My PfSense is configured to update my Cloudflare DNS record as needed.
I tell PMS to use that public FQDN (Settings - Network - Custom server access URLs )

Plex.tv will marry the custom URL + your designated port number in the plex.tv DNS record for brokering access to your server from other Plex apps.

Is this what you’re trying to achieve ?

Using your plex.direct Plex-private FQDN should not be used for public access because it will change with each certificate refresh

9

It does for me. See my comment above.

This is without any intervention on my side.

10

That’s doing as expected.

  1. you supply the IPv6 address
  2. you supply the cert id
  3. your query returns the given IPv6 address

It’s just reformatting the given information. No actual lookup required.

If you change from plex.direct to plex.tv you get only the SOA and NS entries

When I dig my fqdn’s AAAA, I get the IPv6 address
When I dig the fqdn, I get the IPv4 address.

This is how I’ve understood it all to work (not sure why it’s this way)