pihole on ipv6 with dynamic ipv6


#255682 23-Aug-2019 15:07
I'm on 2degrees and just enabled IPv6 at the router / OS level. I'd like to make sure ad blocking will continue be effective. Does the PiHole (v4.3) do this by default, or do I need to do something to enable it?

 

I can see this in my pihole logs, which suggests it is seeing IPv6 DNS requests.

 

 

 

 

2019-08-23 15:00:28

 

AAAA

 

e.crashlytics.com

 

192.168.1.12

 

Blocked (gravity)

 

 

 

2019-08-23 15:00:28

 

A

 

e.crashlytics.com

 

192.168.1.12

 

Blocked (gravity)

 

 

 

 

 

 

I guess that since DNS queries are by domain name the version of IP being used is largely irrelevant?

 

 

  #2304850 23-Aug-2019 17:01
I have a "helper script".

 

Posting here so I can paste the code later




  #2304903 23-Aug-2019 20:05
And here is the helper script I use, note the crontab addition to have it auto update.

 

https://github.com/stevejenkins/pihole-utils/blob/master/pihole_ipv6_check




  #2304909 23-Aug-2019 20:34
Thanks Mr Mental. Looks like the script adds the IPv6 address to the PiHole config. Why is that helpful?



  #2304920 23-Aug-2019 21:24
Oddly, I'm getting a LOT more advertising on stuff.co.nz since I enabled IPv6. I checked a few other sites, no problem.

 

I enabled that script, but it said nothing needed changing. It's on cron now.

  #2304941 23-Aug-2019 22:07
I'm a 2degrees customer using Pihole with IPv6. I let the router do the all the dhcp. All I (believe I) had to do was enable the dns advertisement in IPv6. All works as you'd expect.

Afraid I'm away from home right now. But I'll post my config tomorrow if you haven't got it sorted.



  #2304984 24-Aug-2019 06:40
nzkc: I'm a 2degrees customer using Pihole with IPv6. I let the router do the all the dhcp. All I (believe I) had to do was enable the dns advertisement in IPv6. All works as you'd expect.

Afraid I'm away from home right now. But I'll post my config tomorrow if you haven't got it sorted.

 

Can you tell me about this please?

 

I have DHCP set to return the pi-hole as the DNS server. That way every device on the network automatically uses pi-hole. Using a Fritzbox 7390.

 

I suspect (maybe) some IPv6 sites are going direct to ISP DNS rather than via pi-hole. Obviously I want to block ads that way too.

 

It's odd that stuff ads are showing (they weren't yesterday). Stuff is definitely on IP6, NZHerald definitely isn't.

  #2305113 24-Aug-2019 10:36
timmmay:

 

I have DHCP set to return the pi-hole as the DNS server. That way every device on the network automatically uses pi-hole. Using a Fritzbox 7390.

 

...

 

It's odd that stuff ads are showing (they weren't yesterday). Stuff is definitely on IP6, NZHerald definitely isn't.

 

 

No Stuff ads for me.

 

Double check the basics:

 

* Is your Pi-hole configure to block IPv6 ads? (I don't have the web interface, but you can run pihole reconfigure from the command line to set everything up again. Also try pihole -a interface all)

 

* On your Fritzbox, have you set both your IPv4 and IPv6 DNS servers?
* Also, in what order is your client using the DNS servers? Seems like mine is using IPv6 first
  #2305127 24-Aug-2019 11:06
I haven't configured IP6 DNS server. My pihole has a what I guess is a dynamic IP 6 address, so if it changes I would have to reconfigure the Fritzbox manually. Can I assign a static IP 6 address to my pi hole? Or am I missing something?

  #2305177 24-Aug-2019 11:33
I'm INCREDIBLY rusty on IPv6 (I keep trying to forget it), but you should have a static link-local address on your server hosting pihole, so if you configure your router to forward all IPv6 DNS requests to THAT IPv6 address, and then configure the pihole with your provider's public IPv6 DNS, and enable IPv6 filtering, you should start seeing results.

 

Without going and doing any reading, there's a bunch of IPv6 addresses on an interface based on the interfaces MAC address, including a link-local, and if there's an IPv6 prefix being provided (which your ISP is providing), then you should have an address based on that. If your ISP is providing you with static IPv6, then your IPv6 addresses for your network will also be static, IIRC. Damn it, now I'm going to go read IPv6 documentation.

 

The reason you're seeing ads is because you'll be running in dual stack mode, and most IPv6 aware software prefers IPv6 over IPv6 when available, so you're just running standard public DNS with no filtering for anything that has a DNS AAAA record for IPv6, and filtering on everything else that uses IPv4 A records.




  #2305181 24-Aug-2019 11:37
Thanks toejam. I guess I have to do some reading on ip6 and local link addresses to get this working.

  #2305208 24-Aug-2019 11:59
ANglEAUT:

* On your Fritzbox, have you set both your IPv4 and IPv6 DNS servers?
* Also, in what order is your client using the DNS servers? Seems like mine is using IPv6 first
Pretty sure this will be what you are missing. Set it to your network local IPv6 address (fe80...... from memory) for your Pihole.

I guess the alternative would be to disable the IPv6 dns. Your pihole will still respond with IPv6 (AAAA) addresses to your clients.



  #2305213 24-Aug-2019 12:10
Thanks, I will try that later.



  #2305471 24-Aug-2019 21:09
Ok, I've made some progress. Things aren't working quite yet, I'm still seeing ads on stuff, but I understand this a bit more and I'm close.

 

First, the fc00::/7 is a "unique local address" (ULA), which is for private networks. This includes fc00::/8 and fd00::/8. fe80::/8 is the "local link address". The difference is spelled out here.

 

  • I've worked out the IPv6 local link address for my pi.hole, I've configured it in setupVars.conf, and I've run pihole -g to apply it. I'm not sure if I should use this fe80 or an fd00 really.
  • I've configured IPv6 on the Fritz. It has a 2406:: prefix which I believe is a public IPv6 address.
  • I've told the Fritz to "always assign ULA addresses" (which is probably why I have one of those on the pi-hole)
  • I've told the Fritz to Enable DHCPv6 server in the FRITZ!Box for the home network --> Only assign DNS server
  • I've enabled "Also announce DNSv6 server via router advertisement (RFC 5006)" and I've put in the fe80:: local link address for my pi-hole.

When I run ipconfig /all on my PC

 

DNS Servers . . . . . . . . . . . : fd00::9ec7:a6ff:xxxx:xxxx (this is the ULA for my Fritzbox)
                                       192.168.1.x (IPv4 for my pi-hole)
                                       fe80::9b16:3f9c:xxxx:xxx%16 (IPv6 local link address for my pi-hole)
                                       fd00::9ec7:a6ff:xxxx:xxxx (this is the ULA for my Fritzbox again)

 

 

 

TLDR: So it looks like DCHPv6 is sending the IPv6 local link of the pi-hole out, but it's behind the Fritzbox in the order of DNS servers, which means it's not used. When I set the pi-hole as the IPv6 DNS server on my PC it works fine, but I would like it handed out by DHCP so all computers on the network benefit from ad-blocking.

 

Question: Any idea how to get the pi-hole to the top of the list of Fritzbox IPv6 DNS servers?



  #2305570 25-Aug-2019 07:15
For now I've gone into Internet -> Account information -> DNS Server (tab) and set "use other DNS servers" to my Fritzbox fe80 address, with the 2degrees DNSv6 address as the second address. I might change the second to use the fd00 ULA address if ad-blocking isn't reliable. DNS servers seem to be used round robin rather than first and second.

 

The only downside to this I can think of is if my pi-hole fails I'll have to manually change DNS servers back to ISP supplied.

  #2305703 25-Aug-2019 13:17
I'm not using my Fritz 7390 anymore, however, it sounds like you've got it to where I had it. Although I didn't manually change any IPv6 addresses anywhere. Including the pihole. Can't see it being an issue though.

Happy to dig out the fritz and grab some screenshots if you need them.

