I have 2 pi-holes, an RPI4B - 2GB, and an RPI3B+. Both are set up with cloudflared ipv6. I can resolve domains using both ipv4 & ipv6 address on both RPIs. dig -6 @2603:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:c928 google.com dig -6 @2603:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:dc2a google.com dig @192.168.0.231 google.com dig @192.168.0.232 google.com
In (both) pi-hole settings > DNS > Upstream DNS Servers I'm using
Custom 1 (IPv4): 127.0.0.1#5053
Custom 3 (IPv6): ::1#5053
In my router (RT-AC88U flashed with Asus Merlin) I have the following settings
For a couple of years, I've been IPv4 only and ad blocking has been working great. However, I recently realized there were some sites I was unable to access with IPv6 disabled, so I wanted to figure out how to get pi-hole working with IPv6. The whole IPv6 thing is very new to me and I'm learning as I go.
The issue is, some (but not all) ads have started leaking through since enabling IPv6, but I'm not really sure how that's happening. dnsleaktest.com shows only cloudflare on the extended test on a number of devices.
If anyone has any advice or guides on where I've gone wrong, or what might be better, I'd really appreciate it.
>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : DESKTOP-D9G8U2J
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) I211 Gigabit Network Connection
Physical Address. . . . . . . . . : B4-XX-XX-XX-XX-C7
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2603:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:217c(Preferred)
Temporary IPv6 Address. . . . . . : 2603:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:7646(Deprecated)
Temporary IPv6 Address. . . . . . : 2603:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:7d66(Preferred)
Link-local IPv6 Address . . . . . : fe80::XXXX:XXXX:7ac9:217c%17(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.0.173(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, June 7, 2021 8:40:30 AM
Lease Expires . . . . . . . . . . : Wednesday, June 9, 2021 8:25:58 AM
Default Gateway . . . . . . . . . : fe80::XXXX:XXXX:fe74:76a0%17
192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.1
DHCPv6 IAID . . . . . . . . . . . : 112471705
DHCPv6 Client DUID. . . . . . . . : 00-XX-XX-XX-XX-XX-XX-XX-XX-XX-XX-XX-XX-C7
DNS Servers . . . . . . . . . . . : 2603:XXXX:XXXX:XXXX::1
192.168.0.231
192.168.0.232
2603:XXXX:XXXX:XXXX::1
NetBIOS over Tcpip. . . . . . . . : Enabled
Wireless LAN adapter Wi-Fi:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) Wi-Fi 6 AX200 160MHz
Physical Address. . . . . . . . . : 50-XX-XX-XX-XX-8E
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Wireless LAN adapter Local Area Connection* 1:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
Physical Address. . . . . . . . . : 50-XX-XX-XX-XX-8F
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Wireless LAN adapter Local Area Connection* 2:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter #2
Physical Address. . . . . . . . . : 52-XX-XX-XX-XX-8E
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Ethernet adapter Bluetooth Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
Physical Address. . . . . . . . . : 50-XX-XX-XX-XX-92
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
>netsh interface ipv6 show dnsservers
Configuration for interface "Ethernet"
DNS servers configured through DHCP: 2603:XXXX:XXXX:XXXX::1
2603:XXXX:XXXX:XXXX::1
Register with which suffix: Primary only
Configuration for interface "Wi-Fi"
DNS servers configured through DHCP: None
Register with which suffix: Primary only
Configuration for interface "Local Area Connection* 1"
DNS servers configured through DHCP: fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
Register with which suffix: Primary only
Configuration for interface "Local Area Connection* 2"
DNS servers configured through DHCP: fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
Register with which suffix: Primary only
Configuration for interface "Bluetooth Network Connection"
DNS servers configured through DHCP: fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
Register with which suffix: Primary only
Configuration for interface "Loopback Pseudo-Interface 1"
Statically Configured DNS Servers: fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
Register with which suffix: Primary only
Also from a separate ubuntu machine
$ systemd-resolve --status
Link 5 (bond0)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: 192.168.0.231
DNS Servers: 192.168.0.232
192.168.0.231
2603:XXXX:XXXX:XXXX::1
DNS Domain: local
I'm assuming that IPv6 address belongs to your router, i.e. your router is advertising its own IPv6 address, indeed allowing your clients to bypass Pi-hole via IPv6.
To avoid that, configure your router to advertise or offer Pi-hole's IPv6 address instead.
You'd have to consult your router's and/or firmware's documentation to find out if and how your router supports that configuration.
If your router cannot be configured to cease distributing it own IPv6 as DNS, then disabling IPv6 in your router is your ultimate choice.
The address listed is the same as the "LAN IPv6 Address" in IPv6 settings and is the prefix to all my ipv6 addresses. Also in those IPv6 settings "Connect to DNS Server automatically" is set to disable, and both pi-hole ipv6 addresses are listed in IPv6 DNS Server 1/2. So I'm not really sure how to further specify clients use the pi-hole ipv6 addresses for DNS. I would think with those settings, even if the router's IPv6 was used, it would be passing along the pi-hole ipv6 addresses.
I was hoping for someone with some experience with asus merlin since it seems the pi-hole side of things is set up correctly. I'll make a post on snbforums and see if I can get some clarification on how the IPv6 DNS settings work.
If ads are leaking, could this be your browser?
I've had issues with firefox TRR which caused ads to leak through. Disabling TRR makes FF use pihole instead of it's own resolver which solves the ad leak situation. I'm not sure if a similar setting exists for chrome yet.
Turns out the router ipv6 DNS doesn't (yet) work the same way its ipv4 DNS works. It will always offer its own ipv6 address as the DNS server. I was able to get around this with a dnsmaq.postconf script, which essentially uses sed to replace the configuration with the desired pi-hole ipv6 addresses.
So now, my devices are only using pi-hole DNS addresses.
>netsh interface ipv6 show dnsservers
Configuration for interface "Wi-Fi"
DNS servers configured through DHCP: 2603:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:c928
2603:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:dc2a
Register with which suffix: Primary only
Fingers crossed this takes care of the leaking ads. However, from what I understand, the router will offer its own ipv6 address, but forward those requests to the ipv6 addresses specified in the ipv6 settings.
In regards to the browser, I'm not sure, but I don't think chrome does anything like that. I'm already using DoH with cloudflared so I wouldn't expect anything to force me into using a different DoH. I also haven't seen any ads in chrome specifically. The ads were coming in on a mobile game my girlfriend plays. (which didn't have ads when only using ipv4)
Well after running this for a few days, I can say it seems like the leaks are now sealed. I had some (possibly) unrelated issues. After setting up that script, for some reason, my port forwarding was turned off. But that was easy enough to find and fix. Also, one of my pi-holes had an issue with cloudflared, causing my google homes/hubs/minis to go haywire. Over 400,000 requests to connectivitycheck.gstatic.com in 12 hours . Even though it was whitelisted and I was resolving other domains. I didn't figure it out until I tried dig with each pi-hole ip. All it took was restarting the cloudflared service and I was back in business. No ads have leaked through in 48 hours so I feel pretty confident in the resolution.