Can't add IPV6 to Pi-hole with pihole -r

Margret · July 29, 2021, 4:48pm

Please follow the below template, it will help us to help you!

Expected Behaviour:

I run pihole -r to reconfigure so I have IPV6 enabled. I want to block IPV6 traffic

Actual Behaviour:

Pi-hole shows IPV6 not enabled.

The Pi has an IPV6 address.

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:e0:4c:78:41:d6 brd ff:ff:ff:ff:ff:ff
inet 192.168.111.2/24 brd 192.168.111.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::6308:c759:724d:91c8/64 scope link
valid_lft forever preferred_lft forever

Debug Token:

https://tricorder.pi-hole.net/42qenkagsp

jfb · July 29, 2021, 5:13pm

Pi-hole is not involved in any traffic between clients and the internet. If a client has IPv6 available, it can use that to connect to IPv6 sites.

Do you want to block all IPv6 DNS queries? Please elaborate on what you want to accomplish.

Margret · July 29, 2021, 6:18pm

Yes, please. Ads are getting through on IPV6 and I want to block them.

DanSchaper · July 29, 2021, 6:20pm

If that is the only IPv6 address on your server then you don't actually have IPv6. That's a link-local address, it doesn't have any internet access.

You can double check with https://ipv6-test.com from any web browser to see if you actually do have IPv6 internet access.

Margret · July 29, 2021, 6:31pm

So DNS6 is reachable, but IPV6 routing-wise is not.

DNS6 + IP4 | Reachable |

| - |

How can I block DNS6 queries? Do I need to do this through my router or can the Pi-hole do that?

jfb · July 29, 2021, 6:36pm

Pi-hole is a domain blocker. If Pi-hole receives a query for a DNS domain, it will block that domain per your settings regardless of whether the queries are for the A record (IPv4) or AAAA record (IPv6) for the domain.

As an example, cnn.com is not blocked and Pi-hole will return either the A or the AAAA record.

pi@Pi-3B-DEV:~ $ dig -t A cnn.com +short
151.101.193.67
151.101.129.67
151.101.65.67
151.101.1.67

pi@Pi-3B-DEV:~ $ dig -t AAAA cnn.com +short
2a04:4e42:600::323
2a04:4e42:200::323
2a04:4e42::323
2a04:4e42:400::323

If you block the domain, with the default Pi-hole settings this will be blocked for both A and AAAA records.

pi@Pi-3B-DEV:~ $ pihole -b cnn.com
[i] Adding cnn.com to the blacklist...
[✓] Reloading DNS lists

pi@Pi-3B-DEV:~ $ dig -t A cnn.com +short
0.0.0.0

pi@Pi-3B-DEV:~ $ dig -t AAAA cnn.com +short
::

Margret · July 29, 2021, 6:43pm

Okay, I have, for example, googleads.g.doubleclick.net and www.googleadservices.com blocked. However, ads keep loading from those sites. I read somewhere that turning off IPV6 on a workstation would eliminate the problem. I tried that and it worked on my Windows 10 laptop. When I turned IPV6 back on, the ads returned. So, I assumed that there was a setting in Pi-hole that I would need to enable to block IPV6 DNS queries. I'm missing something here.

Bucking_Horn · July 29, 2021, 7:07pm

Run from your Windows Laptop with IPv6 enabled, what is the output of:

netsh interface ipv6 show dnsservers

Or check the DNS server section from

ipconfig /all

Margret · July 29, 2021, 7:10pm

Using WIFI, so none. Odd.

Configuration for interface "Local Area Connection* 1"
DNS servers configured through DHCP: fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
Register with which suffix: Primary only

Configuration for interface "Wi-Fi"
** DNS servers configured through DHCP: None**
** Register with which suffix: Primary only**

Configuration for interface "Loopback Pseudo-Interface 1"
Statically Configured DNS Servers: fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
Register with which suffix: Primary only

Margret · July 29, 2021, 7:41pm

Okay. I flushed DNS. I made sure DHCP was not serving DNS through the router. Still no luck. If, for example, I go to cnn.com, google ads loads the stupid banner. Do I need to move DHCP to the Pi-Hole to make this work?

Link-local IPv6 Address . . . . . : fe80::f5d6:4a20:d93e:9ca3%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.x.7(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Tuesday, July 27, 2021 11:06:39 AM
Lease Expires . . . . . . . . . . : Friday, July 30, 2021 3:35:46 PM
Default Gateway . . . . . . . . . : 192.168.x.1
DHCP Server . . . . . . . . . . . : 192.168.x.1
DHCPv6 IAID . . . . . . . . . . . : 75532018
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-21-E0-97-88-80-86-F2-E0-BF-0F
DNS Servers . . . . . . . . . . . : 192.168.x.2
NetBIOS over Tcpip. . . . . . . . : Enabled

Bucking_Horn · July 29, 2021, 7:51pm

Your results suggest you neither have public IPv6 connectivity in your network nor does your Windows client use your router's link-local IPv6 address as DNS server.

Run from your Windows laptop, what's the output of

nslookup googleads.g.doubleclick.net

nslookup www.googleadservices.com

Margret · July 29, 2021, 7:59pm

You are absolutely correct. Nslookup times out:

C:\Users\m>nslookup googleads.g.doubleclick.net
Server: pi-hole
Address: 192.168.111.2

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
Name: googleads.g.doubleclick.net
Addresses: ::
0.0.0.0

C:\Users\m>nslookup www.googleadservices.com
Server: pi-hole
Address: 192.168.111.2

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
Name: www.googleadservices.com
Addresses: ::
0.0.0.0

Yet, I get this when I load CNN.com:

Which links to googleadservices.com. It's not just CNN either. But when I disabled IPV6 on my laptop it stops. Okay, no biggie. I could just do that. However, my spouse's Samsung tablet doesn't let you disable IPV6, so it's ad city on that. And there are other devices in the house that I'd have to run around trying to disable IPV6 on. I just don't get how these ads are getting through.

Bucking_Horn · July 29, 2021, 8:09pm

Intermittently, but ultimately it shows Pi-hole returns the domain as blocked:

Your observation may have been coincidental - there are no indications that IPv6 would be your issue.

Could you please provide a fresh debug token?

Margret · July 29, 2021, 8:25pm

You got it! https://tricorder.pi-hole.net/6mjar8k8sc

Bucking_Horn · July 29, 2021, 8:50pm

Both of your debug logs indicate you do not have public IPv6 connectivity.

However, your older debug log showed your router to distribute its own IPv4 address as DNS server alongside Pi-hole:

*** [ DIAGNOSING ]: Discovering active DHCP servers (takes 10 seconds)
   Scanning all your interfaces for DHCP servers
   
   * Received 304 bytes from eth0:192.168.111.1
     Offered IP address: 192.168.111.2
     Server IP address: 192.168.111.1
     DHCP options:
      Message type: DHCPOFFER (2)
      lease-time: 86400 ( 1d )
      dns-server: 192.168.111.2
      dns-server: 192.168.111.1

Your recent debug log shows that your router currently distributes only Pi-hole.

Assuming you've changed that only recently, clients that yet wouldn't have renewed their DHCP lease could still use your router for DNS and thus by-pass Pi-hole (your current lease time is set to one day).

Margret · July 29, 2021, 10:03pm

I just did an ipconfig /renew about seven times. It finally seems to be working. Thanks.

system · August 19, 2021, 10:04pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.