Be aware of Android's shady IPv6 DNS

I recently realized Pi-hole is not working on my android phone at all. I did some research and find out other people have experienced the same problem. The culprit is the automatic IPv6 resolver.

I use pfSense as my router, and I dedicated Pi-Hole as the only DNS server for the whole network. Every device connected to this network should use pi-hole by default unless this device connects to a VPN or have a manually set DNS.

However, Android will somewhat make use of IPv6 to find out my ISP's IPv6 DNS and set that one as my primary DNS. You would think this won't be a problem if I manually set my DNS in wifi settings. Wrong. I did that and android forcefully set the IPv6 DNS as primary before pi-hole.

So far my solution is to disable IPv6 all together on pfSense. I do not know what else could work. Frankly, I don't know how Android even knows my ISP's DNS. My whole network is on VPN. DNS leak test shows that my DNS request went to the VPN servers.

I had the same problem with windows 10, after a while, an IPv6 DNS server appeared in the DNS server list (ipconfig /all). I looked into that, and found there is nothing shady about it, but a legit part of the IPv6 protocol.
I don't want to end up in a situation where pfsense gets in trouble, because of an unavailable DNS resolver (pihole), so after some experimenting, the following appears to work for me.
system / general setup / dns server settings:

• IPv4 of OPENDNS (208.67.222.222)
• IPv4 of OPENDNS (208.67.220.220)
• IPv6 of pihole (2a02:1810:xxxx:6902:yyyy:adc1:79e1:zzzz)

now, shortly after windows 10 has started up, ipconfig /all shows the following:

   DNS Servers . . . . . . . . . . . : 192.168.2.57
                                       2a02:1810:xxxx:6902:yyyy:adc1:79e1:zzzz

thus, windows got the IPv6 DNS address from pfsense. I tested this, by simply entering a different (valid external DNS resolver) IPv6 address, and confirmed this is the address the client device is picking up.

I only handout the IPv4 DNS address with the pfsense IPV4 DHCP server, and I'm using track interface to provide IPv6 addresses to the devices.

Have been monitoring this for a while now, appears to work correctly, no more pihole bypassing.

Thanks for sharing you story with me. I don't understand how this IPv6 thing works on pfSense. I'll have it disabled for now. I don't even understand how my android phone got that IPv6 DNS server. My pfSense is always on VPN, which means the whole network is always on VPN.

IPv6 has been invented from our current knowledge of networking and embedded hardware. IPv4 is back from the 80s where the majority of computers in the same network were all in the same building. IPv6 has some advantages which makes it easier to process = faster (less delay) and more energy-efficient (less computational power required on each intermediate router).

It only makes sense to prefer an IPv6 path if there is one. The Android device does not know/expect that the IPv6 address ends up at a different (=non-Pi-hole) server. It's not really the Android's devices fault, rather the one from your router letting the IPv6 RA packet announcing this particular server through.

I have no pfSense experience myself. It may just be a unlucky user interface. I'm pretty sure you can achieve what you want. Maybe the filtering is powerful enough to prevent the responsible ISP RA packet from coming through. Do not block all of them or you will kill the entire IPv6 connectivity (the prefix still needs to come through).

Interpretation 1: The WiFi settings are incomplete in this case as they don't highlight
Interpretation 2: A filter is missing to prevent the responsible packet from coming through

I prefer no 2.

I never asked my android to replace my primary DNS. I never asked it to find it's own DNS in the first place.

Hi @KamikazeRaven

I'm facing the same problem since two months (Android 10 update) and still can't force my mobile device to use my Pihole's ipv4 IP address as a DNS server...

were you successful?

my problems is that I can't change it on my ISPs router. I'm considering buying a new one and bridging my ISPs router to it and then I have freedom to change whatever...

Yes I was. I use a home-build pfSense as my router. I disabled IPv6 on the router. So no IPv6 traffic on my home router at all. I do not find settings on android. Android works more like a malware nowadays.

Seems that's the way to go! and I just got introduced to pfsesnes today, for now I will use pihole as DHCP server and disable the router's.

Totally agree on Android! the latest Android 10 is a privacy nightmare. Looking for a way to root a better OS on my Samsung Galaxy

will give it a try, thanks! any ROM do you recommend?

Just saying: If you have a powerful router incl. firewall, configure it to filter RA packets with DNS information. Then, check which IPv6 addresses Android uses (they have to be hard-coded, probably only a few) and block the entire subnet where they are in.

This will prevent shady IPv6 actions while still giving you access to the benefits of the IPv6 Internet.

I love your solution, and I'm sure my hardware is powerful enough to handle all that. I just really don't know how to do it. I don't understand how IPv6 works in general. My pfSense is also set to use 3 VPN connections. The firewall settings are already complex enough.

This may actually not be necessary when you

because the Android phone should (hopefully) ignore servers it cannot reach. It is important that the firewall REJECTs (and doesn't DROP) the packets to avoid unpleasant timeouts.

Also, blocking RAs (Router Advertisements) selectively would necessitate packet surgery and this is a whole different story. I don't even think the pfSense is able to do this without tricks. The problem here is that many/most RA packets contain not only DNS information but also prefix, MTU, etc. information. So if you just block them, everything from "strange things" to "does not work at all" is possible.
TL;DR: Don't block RA packets, just block the DNS servers (and hope for them to not change often, but this seems highly unlikely)

TL;DR: Don't block RA packets, just block the DNS servers (and hope for them to not change often, but this seems highly unlikely)

Thanks for clarify.

As far as I know, my IPS has a lot of DNS servers. I don't know why do they do that. I think block a few of them won't do anything.

They are still likely in the same address range (like 144.25.2.1,144.25.2.2, 144.25.2.3, etc.)

I would not expect them to be scattered about the entire address range (like 5.98.66., 66.73.56.99, 3.56.84.6, etc.)

They are still likely in the same address range (like 144.25.2.1,144.25.2.2, 144.25.2.3, etc.)

I would not expect them to be scattered about the entire address range (like 5.98.66., 66.73.56.99, 3.56.84.6, etc.)

That's a good point. I'll see if I can find a list of their DNS servers.

I had a very similar problem. In my case it was that my new ISP router was leasing ipv6 addresses (despite the fact that I deactivated the dhcp server). My solution was to isolate the ISP router behind my own router, creating two network settings and effectively blocking all the traffic from my ISP router (including dhcp and all v6 traffic)

I had a similar problem! My local network is a IPv4+IPv6 dual stack network, and I deployed a gateway server in my local network as a transparent proxy. I need to hijack the DNS requests from the clients, so I set IPv4 router(gateway) and IPv4 dns server pointed to gateway server in my clients. It works on Linux, iOS and macOS, but there are some problems on Windows and Android. I found IPv6 DNS is prefered by default on these two platforms. On Windows, I set IPv6 DNS server as ::1, so when DNS requests are sended by IPv4+IPv6, IPv6 DNS server can't response, and the IPv4 DNS requests will be hijacked by the gateway server and responsed. I think this thinking is right, but unfortunately Android CAN'T SET WIFI IPv6 DNS SERVER even though it allow to set IPv4 address, gateway and DNS server by manual. What can I do? How to set IPv6 DNS server on Android?