Conditional forwarding and dnsmasq rule for DNS after enabling IPv6 on ER-X

Hi all,

Wasn't sure where to post this as it's not really a Pi-hole issue but looking for some wrinkled-brains to point me in the right direction.

My ISP enabled IPv6 a while back and I finally decided to set it up.

After reading some guides and tinkering with the config for my Ubiquiti EdgeRouter-X, it's working BUT, conditional forwarding and my dnsmasq rule to route DNS through Pi-hole aren't working.

I'm sure the dnsmasq rule isn't working due to being setup for IPv4 but struggling to find any answers on how to fix the issues.

Conditional access caught me out when I first setup Pi-hole (which was yonks ago) so had to Google the fix for that again, just need to set service dhcp-server use-dnsmasq enable in the config.

Not sure if it matters but I'm running dual-stack although I'm not seeing any IPv6 addresses from network devices in the query log.

Also running Cloudflared so DNS in Pi-hole is set to localhost.

To get IPv6 working, I reset to defaults via the wizard (and enabled default IPv6 firewall rules). Then modified the config with the entries listed here.

Configs attached. Appreciate any input!

IPv4.txt (5.8 KB)
IPv6.txt (8.6 KB)

So, I have no idea what I did but it's working.

This doesn't look like a Pi-hole issue.

I can't really comment on your configuration files, as those is neither one of Pi-hole's nor pihole-FTL's/dnsmasq's files, but rather some Ubiquiti syntax (even if I could, I may have struggled to read it, as you seem to have redacted port and address information from it).

From strictly a DNS point of view, I'd recommend to stick with your Pi-hole to be accessible via IPv4 exclusively - provided your router supports that, which would imply that it allows IPv6 DNS configuration.

The important concept to understand here is that a DNS resolver is fully capable of serving your network of dual-stack (and IPv4-only) clients with IPv6 address information, even if they send their requests only via IPv4.
Any DNS resolver will supply A and AAAA records as requested, i.e. your dual-stack clients are able to resolve public IPv6 addresses from AAAA requests via IPv4.

As mentioned, your router must support configuring IPv6 DNS.
Specifcially, it must not advertise (SLAAC/NDP/RA/RDNSS) or offer (Stateless and Stateful DHCPv6) an IPv6 address as DNS resolver other than Pi-hole, or -as I'd recommend- no such IPv6 address at all.

A router that is not or cannot be configured either way will likely advertise itself or your ISP's DNS servers, allowing clients to completely by-pass Pi-hole via that IPv6 at their own discretion.
Enabling Pi-hole's IPv6 support into that mix would have no effect on your router. It would just lower the probability of IPv6 clients using your router instead of Pi-hole's IPv6 or IPv4 address somewhat.

You should verify the DNS servers your network is aware of, either in your router or on a client, e.g. by running ipconfig /all on a Windows machine and checking the DNS server section.

The reason why I'd recommend to stick with your Pi-hole as only accessible via IPv4 is about associating DNS requests in Pi-hole's Query Log with local hostnames:
With IPv4, clients may (or may not) register a hostname with a DHCP server during DHCP lease negotiation, which in turn may (or may not - some routers don't) populate a co-located DNS resolver with the respective DNS records.

There is no equivalent procedure for IPv6, specifically when auto-configuration is used.
If configured as DHCP server, pihole-FTL/dnsmasq would make an effort to associate IPv6 addresses with hostnames by applying some heuristics, but that's not guarantueed to always work.

Sticking with Pi-hole as IPv4 only will make it easier to identify individual hosts in Pi-hole's Query Log by name.

Thanks. I think I've sorted it. Found that the ISP IPv6 DNS was populated in radvd.conf on the router so ran set interfaces ethernet eth0 dhcpv6-pd pd 0 interface switch0 no-dns and it seems to be working fine now.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.