Ads leaking - cloudflared, ipv6, Asus Merlin - RT-AC88U set up

I have 2 pi-holes, an RPI4B - 2GB, and an RPI3B+. Both are set up with cloudflared ipv6. I can resolve domains using both ipv4 & ipv6 address on both RPIs.
dig -6 @2603:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:c928 google.com
dig -6 @2603:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:dc2a google.com
dig @192.168.0.231 google.com
dig @192.168.0.232 google.com

In (both) pi-hole settings > DNS > Upstream DNS Servers I'm using
Custom 1 (IPv4): 127.0.0.1#5053
Custom 3 (IPv6): ::1#5053

In my router (RT-AC88U flashed with Asus Merlin) I have the following settings

LAN > DHCP Server

image

LAN > DNSFilter

WAN > Internet Connection

IPV6

For a couple of years, I've been IPv4 only and ad blocking has been working great. However, I recently realized there were some sites I was unable to access with IPv6 disabled, so I wanted to figure out how to get pi-hole working with IPv6. The whole IPv6 thing is very new to me and I'm learning as I go.
The issue is, some (but not all) ads have started leaking through since enabling IPv6, but I'm not really sure how that's happening. dnsleaktest.com shows only cloudflare on the extended test on a number of devices.

If anyone has any advice or guides on where I've gone wrong, or what might be better, I'd really appreciate it.

Expected Behaviour:

All ads blocked over IPv6

Actual Behaviour:

Ads are leaking through

Debug Token:

https://tricorder.pi-hole.net/xmmg812e6m
https://tricorder.pi-hole.net/s4lod8anmd

Since you suspect Pi-hole is being by-passed via IPv6, can you verify which DNS servers are used, especially IPv6 ones?

From a windows client, e.g., that should be revealed by running

ipconfig /all

or

netsh interface ipv6 show dnsservers

This is what I get.

>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : DESKTOP-D9G8U2J
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) I211 Gigabit Network Connection
   Physical Address. . . . . . . . . : B4-XX-XX-XX-XX-C7
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2603:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:217c(Preferred)
   Temporary IPv6 Address. . . . . . : 2603:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:7646(Deprecated)
   Temporary IPv6 Address. . . . . . : 2603:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:7d66(Preferred)
   Link-local IPv6 Address . . . . . : fe80::XXXX:XXXX:7ac9:217c%17(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.173(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, June 7, 2021 8:40:30 AM
   Lease Expires . . . . . . . . . . : Wednesday, June 9, 2021 8:25:58 AM
   Default Gateway . . . . . . . . . : fe80::XXXX:XXXX:fe74:76a0%17
                                       192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.1
   DHCPv6 IAID . . . . . . . . . . . : 112471705
   DHCPv6 Client DUID. . . . . . . . : 00-XX-XX-XX-XX-XX-XX-XX-XX-XX-XX-XX-XX-C7
   DNS Servers . . . . . . . . . . . : 2603:XXXX:XXXX:XXXX::1
                                       192.168.0.231
                                       192.168.0.232
                                       2603:XXXX:XXXX:XXXX::1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wi-Fi:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) Wi-Fi 6 AX200 160MHz
   Physical Address. . . . . . . . . : 50-XX-XX-XX-XX-8E
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Local Area Connection* 1:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physical Address. . . . . . . . . : 50-XX-XX-XX-XX-8F
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Local Area Connection* 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter #2
   Physical Address. . . . . . . . . : 52-XX-XX-XX-XX-8E
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
   Physical Address. . . . . . . . . : 50-XX-XX-XX-XX-92
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes





>netsh interface ipv6 show dnsservers

Configuration for interface "Ethernet"
    DNS servers configured through DHCP:  2603:XXXX:XXXX:XXXX::1
                                          2603:XXXX:XXXX:XXXX::1
    Register with which suffix:           Primary only

Configuration for interface "Wi-Fi"
    DNS servers configured through DHCP:  None
    Register with which suffix:           Primary only

Configuration for interface "Local Area Connection* 1"
    DNS servers configured through DHCP:  fec0:0:0:ffff::1%1
                                          fec0:0:0:ffff::2%1
                                          fec0:0:0:ffff::3%1
    Register with which suffix:           Primary only

Configuration for interface "Local Area Connection* 2"
    DNS servers configured through DHCP:  fec0:0:0:ffff::1%1
                                          fec0:0:0:ffff::2%1
                                          fec0:0:0:ffff::3%1
    Register with which suffix:           Primary only

Configuration for interface "Bluetooth Network Connection"
    DNS servers configured through DHCP:  fec0:0:0:ffff::1%1
                                          fec0:0:0:ffff::2%1
                                          fec0:0:0:ffff::3%1
    Register with which suffix:           Primary only

Configuration for interface "Loopback Pseudo-Interface 1"
    Statically Configured DNS Servers:    fec0:0:0:ffff::1%1
                                          fec0:0:0:ffff::2%1
                                          fec0:0:0:ffff::3%1
    Register with which suffix:           Primary only

Also from a separate ubuntu machine

$ systemd-resolve --status
Link 5 (bond0)
      Current Scopes: DNS                   
DefaultRoute setting: yes                   
       LLMNR setting: yes                   
MulticastDNS setting: no                    
  DNSOverTLS setting: no                    
      DNSSEC setting: no                    
    DNSSEC supported: no                    
  Current DNS Server: 192.168.0.231         
         DNS Servers: 192.168.0.232         
                      192.168.0.231         
                      2603:XXXX:XXXX:XXXX::1
          DNS Domain: local

I'm assuming that IPv6 address belongs to your router, i.e. your router is advertising its own IPv6 address, indeed allowing your clients to bypass Pi-hole via IPv6.
To avoid that, configure your router to advertise or offer Pi-hole's IPv6 address instead.

You'd have to consult your router's and/or firmware's documentation to find out if and how your router supports that configuration.

If your router cannot be configured to cease distributing it own IPv6 as DNS, then disabling IPv6 in your router is your ultimate choice.

The address listed is the same as the "LAN IPv6 Address" in IPv6 settings and is the prefix to all my ipv6 addresses. Also in those IPv6 settings "Connect to DNS Server automatically" is set to disable, and both pi-hole ipv6 addresses are listed in IPv6 DNS Server 1/2. So I'm not really sure how to further specify clients use the pi-hole ipv6 addresses for DNS. I would think with those settings, even if the router's IPv6 was used, it would be passing along the pi-hole ipv6 addresses.

2603:XXXX:XXXX:XXXX::1 is a full IPv6 address, not just a prefix.
The ::1 address commonly gets claimed by a router, hence my assumption.

Me neither, since I do not know your router. :wink:

You'd have to dig into the respective documentation and support channels or wait for one of our community with relevant experiences to chime in.

EDIT: Detailing your router model in your topic title may help to better attract those.

I was hoping for someone with some experience with asus merlin since it seems the pi-hole side of things is set up correctly. I'll make a post on snbforums and see if I can get some clarification on how the IPv6 DNS settings work.

If ads are leaking, could this be your browser?
I've had issues with firefox TRR which caused ads to leak through. Disabling TRR makes FF use pihole instead of it's own resolver which solves the ad leak situation. I'm not sure if a similar setting exists for chrome yet.

Turns out the router ipv6 DNS doesn't (yet) work the same way its ipv4 DNS works. It will always offer its own ipv6 address as the DNS server. I was able to get around this with a dnsmaq.postconf script, which essentially uses sed to replace the configuration with the desired pi-hole ipv6 addresses.

So now, my devices are only using pi-hole DNS addresses.

>netsh interface ipv6 show dnsservers

Configuration for interface "Wi-Fi"
    DNS servers configured through DHCP:  2603:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:c928
                                          2603:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:dc2a
    Register with which suffix:           Primary only

Fingers crossed this takes care of the leaking ads. However, from what I understand, the router will offer its own ipv6 address, but forward those requests to the ipv6 addresses specified in the ipv6 settings.

In regards to the browser, I'm not sure, but I don't think chrome does anything like that. I'm already using DoH with cloudflared so I wouldn't expect anything to force me into using a different DoH. I also haven't seen any ads in chrome specifically. The ads were coming in on a mobile game my girlfriend plays. (which didn't have ads when only using ipv4)

1 Like

Well after running this for a few days, I can say it seems like the leaks are now sealed. I had some (possibly) unrelated issues. After setting up that script, for some reason, my port forwarding was turned off. But that was easy enough to find and fix. Also, one of my pi-holes had an issue with cloudflared, causing my google homes/hubs/minis to go haywire. Over 400,000 requests to connectivitycheck.gstatic.com in 12 hours :sweat_smile:. Even though it was whitelisted and I was resolving other domains. I didn't figure it out until I tried dig with each pi-hole ip. All it took was restarting the cloudflared service and I was back in business. No ads have leaked through in 48 hours so I feel pretty confident in the resolution.