Having read many helpful PiHole threads I'd like to summarise some of my finding here, hoping that perhaps it will help others.
Recently I have noticed an increase in AAAA (IPv6) queries and wondered about the root cause. To get started here's my setup:
Deutsche Telekom Speedport 724V --> pfSense Transparent Firewall --> Switch --> Phiole, Access Point Mobile Devices
Like others I have discovered that I see A(IPv4) and AAAA(IPv6) queries in the PiHole log, but only the A(IPv4) queries will be blocked. Since I do not use IPv6 this is falsifying my PiHole Stats (Percentage Blocked). My plan is to learn a bit more about IPv6 and redesign my Network/Firewall at a later stage. But for now I do not want so see any more AAAA lookups in my PiHole logs.
I use mostly Apple Devices (IOS and MacOS) and it turns out you can only reduce the number of AAAA lookups by preventing these devices from obtaining an IPv6 address. For macOS you can configure IPv6 to 'Link Local only' but for iOS you're out of luck.
Since I use PiHole as DHCP Server (IPv4 only) I have turned off DHCP on the SpeedPort 724V, however after some research I found out that the Speedport will still hand out IPv6 addresses (despite DHCP=OFF). As a result my IOS devices we're still receiving IPv6 Addresses and subsequently making AAAA queries.
A solution was to use the pfSense Transparent Firewall to block the IPv6 DHCP requests from the IOS Devices.
In particular I have created a Floating Firewall Rule to block IPv6 UDP (Source Any : Dest Any) with Source Ports 546-547 : Dest Ports 546-547.
This is of course a workaround only. Eventually I will Setup IPv4/6 dual stack, but at the moment this solved my problem.
Yes, please do this. Note that IPv6 is actually faster in practice and you limit yourself these days if you decide to abandon IPv6 by intention. Instead, go into your Router's settings and enable ULA. A detailed HowTo is available here, scrol down to see how to setup the Speedport 724V:
Note that even if devices have no IPv6 upstream connectivity, they can still send AAAA queries to the DNS server, because nothing stops them for doing this over an IPv4 connection. Remember that the IPv4/6 protocol is only the protocol which transports your data over the network it has no direct influence on the content of the packages it transports. Your devices may stop doing AAAA queries, since they think that they are meaningless without an upstream IPv6 connection, but that is a very hack workaround.
Thanks for your super fast response. Turns out I was declaring victory too soon. After a while my iOS devices still showed IPv6 addresses, probably obtained via methods other than DHCPv6.
I read your other post about the advantages of IPv6 elminating the need for NAT etc. and I will start transitioning my environment. What's daunting is the need to implement IPv6 rules on the pfSense box etc.
Once I got a handle on that I will enable IPv6 on the pi.
I did try enabling ULA on the Speedport and the pi yesterday. For some reason the Pi obtained two Global addresses and 1 local. Eventually I backed out.
I understand about the challenges to implement IPv6 (and changing ipv6 addresses on the piHole) and that it will require some effort to resolve.
As an alternative - would it be possible to implement a pihole option (switch) to discount AAAA querries from the pihole stats on the dashboard?
E.g. The Apple devices will make two querries each time (AAAA and A), but only A results will be blocked. Essentially this will reduce the "Blocked Percentage" to half of the real number...
which is, unfortunately, followed by a super slow response... I have been covered with work and haven't checked back on Discourse for about an entire month.
That is to be expected. You will get an "internal global" (ULA, as in global unique but used internally only) and the "external global" (GUA, unique and can be used to access the Internet). You will want to use the ULA for your Pi-hole.
We have that. Edit the file /etc/pihole/pihole-FTL.conf (create it if it doesn't exist) and add the following line:
