Google fiber leaking ipv6 DNS

The issue I am facing:
Some devices including Android use the Google ipv6 DNS instead of the Pi Hole.

Details about my system:
Google fiber router with a raspberry pi.

What I have changed since installing Pi-hole:
The raspberry pi has the latest update including the latest update for Pi hole. I have also enabled the pi hole as the DHCP server for ipv4 and ipv6. I also fallowed the official instructions for enabling DNS-over-HTTPS.

I have set the Google fiber to use the pi hole as the ipv4 DNS. However there is no way to disable DHCP or IPv6 on the Google fiber router. All ipv4 traffic works correctly however there are times on Android and Amazon fire devices (maybe others as well) that when the request is not met for IPv6 by the Pi hole that it will use the Google IPv6 DNS provided by the Google Fiber router.

Is there a way to setup an iptable firewall (on the Pi hole) to block the ipv6 DNS IP addresses on the network?

Do you need IPv6?

If not, limit your DHCP range to one address, reserve it for the Pihole device and enable Pihole's DHCP server.

You can't disable IPv6 on the Google fiber router or set a range. You can only do that with ipv4 which I'm not having a problem with.

The Pi hole is set as the DHCP server. If you enable or disable IPv6 on the Pi hole DHCP it will default to using IPv6 on the Google fiber then (For some select devices). So if possible I would like to block the Google IPv6 DNS addresses at the firewall on the raspberry pi.

You'd have to block or disable with IPv6 at your router.

Pi-hole is receiving DNS traffic only. All other network traffic is taking the usual route, i.e. passing directly between local clients or leaving/entering your network through your router.

You may also be able to disable IPv6 on a client device, if your device supports doing so.

I know this is a very old post, but I was curious if you ever found an answer to this. I'm having the exact same issue with a GRAX210T router on Google Fiber and haven't found a solution.

Google Fiber routers, along with most routers that support IPv6, assign IPv6 addresses using SLAAC (Stateless address autoconfiguration). This causes any clients on the network that support IPv6 to get an address assigned this way, completely outside of and unrelated to DHCP.

The SLAAC advertisements sent by the Google Fiber router include the Google DNS servers (2001:4860:4860::8888, 2001:4860:4860::8844). The custom DNS server options for the Google Fiber router seem to only affect the DHCPv4 service, and have no affect on the IPv6 SLAAC advertisements. I can't even add the IPv6 address of the Pihole to this list, as it seems to only support IPv4 addresses.

What this means is that clients supporting IPv6 will get both the Pihole address (via DHCP), and the Google DNS addresses (via SLAAC). Depending on the client the IPv6 Google DNS might be preferred over the Pihole.

Options include, but are not limited to:

  • Use your own router on the Google Fiber service. This is possible, but can be complicated depending on what service of GFiber you have.
  • Configure clients to ignore DNS servers from SLAAC. Might not be possible on all clients.
  • Add a local firewall rule on each client to block DNS traffic to the Google DNS IPv6 addresses, hoping they fail over to the Pihole. Might not be possible on all clients.
  • Disable IPv6 on all clients on your network.

None of these are nice unfortunately.

Just to be thorough, I thought I'd include a mention about DHCPv6.

DHCPv6 is a thing, and supported on Google Fiber routers. Some clients use DHCPv6 in addition to SLAAC for address and other configuration. DHCPv6 is a whole different service from DHCPv4. And it seems that Google Fiber's implementation of it doesn't support custom DNS servers just like it's SLAAC implementation. So all the same issues above apply to DHCPv6 on Google Fiber as well.

Also, it's now documented by Google Fiber that custom IPv6 DNS servers is not supported.
From: Configure DNS for your network - Google Fiber Help
"At this moment, Google Fiber's Network Box does not support custom IPV6 DNS addresses. Please use only IPv4 when configuring custom DNS IPs."