Client name for IPv6 addresses is sometimes resolved by upstream DNS server?

MPeti1 · August 3, 2020, 7:03pm

Expected Behaviour:

I'm experiencing an issue where in places where client names are displayed (e.g. query log, top clients) the resolved name seems like if it would be done by an upstream DNS provider, like this:
[long-IPv6-address].catv.pool.telekom.hu
It's like a reverse lookup of an IPv6 address, and the ending is the one that you'll get for everyone who is a subscriber of my ISP. It could be important to note that it's not an actual IPv6 address on my network, but according to the tooltip (shown by hovering over) it's a resolution of an address of this format:
fdaa:bbcc:ddee:0.[xxxx:xxxx:xxxx:xxxx]
but there are other ones too that are of the resoltuion of this format:
2001:4c4c:[xxxx:xxxx:xxxx:xxxx:xxxx:xxxx]

I've just rebooted my raspberry pi and my ISP provided router because most of the client names were such weird resolutions, and for a few minutes after that I've actually seen client names like [name-of-my-pc].lan, [name-of-my-phone].lan, but then these externally resolved names started appearing, slowly more and more. In the query log I can't see the real addresses, but I found them in the top clients section, and there (by hovering over) I've seen the original addresses that were resolved.

I don't understand why is this happening, but I'm a bit confused about how exactly are client names resolved.
On the settings menu on the DNS tab I have the Never forward non-FQDNs, and Never forward reverse lookups for private IP ranges boxes ticked, so I think this shouldn't happen.

My OS is Raspbian Buster, running on a Raspberry Pi 4. Pi-hole version is 5.1.1

Actual Behaviour:

I would expect that every IPv6 address would be resolved to a client name if it's using the Pi-hole's DHCP server, or if it's not possible (are there such cases? what are these cases?) then left unresolved.

Debug Token:

https://tricorder.pi-hole.net/ouutpgxssm

Additional information:

If this kind of problem can be caused by a secondary DHCP server on the network, then please tell me about it. I suspect that my ISP router's DHCP server is still working (maybe only the v6 part), but I haven't found a way to verify it. In the control panel I have attempted to turn it off, and the switch remains in the off state, but the control panel has only a page specifically for IPv4 DHCP, but no one for IPv6 DHCP

Bucking_Horn · August 3, 2020, 8:47pm

Short version:
Seeing generic names issued by your ISP is not unusual for public IPv6 addresses.

Click here for the long version

With IPv4, your router is the only device in your network that has a public IPv4 address.

That changes with IPv6:
You router is assigned a public IPv6 prefix by your ISP, which it will distribute in your network in return.

Any IPv6 capable device on your network will construct a set of IPv6 addresses for itself by calculating an interface identifier and combining that with an IPv6 prefix.

This means that any such device on your network can now construct a public IPv6 address for itself by using the public IPv6 prefix. Public IPv6 addresses fall into the 2000::/3 address range.

A client may choose any of its assigned addresses to query Pi-hole, be it IPv4 or IPv6, including its public IPv6 address. If a client uses its public IPv6, Pi-hole will try to associate a name for it. As its a public address, Never forward reverse lookups for private IP ranges won't kick in here, and Pi-hole will forward the reverse lookup to one of its upstream servers.

As your ISP owns the address space it assigned to you, it also supplies DNS services for it. DNS records will be populated with generic names derived from the respective IP addresses, unless your plan buys you DNS services as well (which is unlikely for consumer plans).

Usually, the same would happen for the public IPv4 address of your router - try a reverse lookup for your IPv4.

You may coerce clients into sending queries exclusively via their link-local IPv6 by distributing Pi-hole's link-local IPv6 (from fe80::/10) as DNS. This is somehow dirty, as that address is only visible on the same network segment (or link). So use any L3 switches or VLANs, and devices connected through those won't be able to use Pi-hole that way.

Note that with potentially every device on your network having a public IPv6 address, every device is now potentially reachable from public internet. Whether it is actually exposed in that way will depend on your router's proper firewalling.

MPeti1 · August 6, 2020, 10:41pm

Thank you for your detailed reply, this helped me clear up my confusion.
Is there a way to set up Pi-hole's DHCP server to advertise it's DNS server's link local IPv6 address along it's IPv4 address?
Currently if I run ipconfig /all, I only see it's IPv4 address, and sometimes (like now) also my ISP's DNS servers (luckily they are prioritized over Pi-hole... but that's what my phone does too, just more frequently), but I want to make a different post about that problem (short version: ISP router's DHCP server is theoretically disabled, but I don't know of a way to actually verify this, and something is actively telling my devices about the IPv6 addresses of my ISP's DNS servers' )

Bucking_Horn · August 7, 2020, 6:59am

Configuring Pi-hole to advertise its own link-local IPv6 address as DNS server for IPv6 is a bit tricky.
It requires manual editing of Pi-hole's embedded DNS and DHCP server, dnsmasq, configuration files.
Find /etc/dnsmasq.d/02-pihole-dhcp.confand change the last bit of the option6:dns-server line to read exactly as follows

dhcp-option=option6:dns-server,[fe80::]

Such a line will only be in there if you've enabled IPv6 support via Pi-hole's DHCP UI.
Since this is a file under Pi-hole control, it may be overwritten upon Pi-hole updates and/or UI interaction.

Alternatively, you could leave Pi-hole's IPv6 support switched off in its UI and create a new configuration file, e.g. /etc/dnsmasq.d/42-dhcp-option6.conf.
You then provide the complete IPv6 configuration in there:

dhcp-option=option6:dns-server,[fe80::]
dhcp-range=::100,::1ff,constructor:eth0,ra-names,slaac,24h
ra-param=*,0,0

This file will itself be unharmed by Pi-hole updates and UI interactions, but enabling IPv6 support or disabling DHCP altogether will result in an overall conflicting configuration.

Both approaches are less than ideal, in that you'd have to remember that you did provide configuration.details manually.

If you are curious about the configuration parameters used, have a look at dnsmasq's documentation.

Your router may still advertise a DNS server via RA (RDNSS/DNSSL) and/or offer them via DHCPv6 (same purpose as DHCP for IPv4, but a separate protocol). Commonly, the only way to stop your router from doing so is to disable IPv6 altogether, though some routers may expose settings to control those individually. And then there are a few routers that won't allow you any control over IPv6: It'll just stay switched on, without ways to control it.

That's not good.
A client may pick any of the DNS servers offered at its own discretion, at any time. If it chooses one of your ISP's DNS servers, DNS traffic will bypass Pi-hole at times.
Pi-hole has to be your only DNS server for domains to be filtered reliably.

system · August 28, 2020, 6:59am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.