How to handle local dns for IPv6 without DHCPv6

I just switched my local DHCP over from my router to my Pihole, and I love that I can now access all my computers and containers with https://*.lan (was using avahi and *.local before, but it had some issues).

Is it possible to also resolve IPv6 addresses in a similar way? I was able to do it with DHCPv6 (the " Enable IPv6 support (SLAAC + RA)" option) but I read here: Option "Enable IPv6 support (SLAAC + RA)" that DHCPv6 is a hack and shouldn't really be used.

Is there a way to auto resolve local IPv6 addresses without manually entering each of them into the new local dns feature?

With IPv6, there's more than just sheep on the meadow, you'd have to care for cows and goats as well. If you want to bring them all in, you've got to feed them according to their needs.

Contrary to IPv4, IPv6 clients can join a network via SLAAC or Stateless or Stateful DHCPv6.
Only the latter Stateful DHCPv6 is about equivalent to DHCP for IPv4, but different enough to be a separate protocol in its own right.
The two former options heavily favour client-side auto-configuration.
Ultimately, it's a client's OS (and its configuration, of course) that decides which mechanisam is employed. Dropping support for any one option may mean to shut off clients from IPv6 connectivity.
This also means your clients may choose any of the DNS servers offered via Stateless DHCPv6 or NDP in your network.

MacOS and Linux could do all three early on.
Windows preferred DHCPv6 for a long time. I believe supporting SLAAC started with the introduction of Win10.
Android only does and only ever did SLAAC.

If you want to handle local DNS for IPv6 correctly, switching off DHCP is not enough, even if it means switching off DHCPv6 as well in your router (not all routers clearly make that DHCP/DHCPv6 distinction).

You have to stop your router from offering itself as DNS server (or those assigned by your ISP). If you router has no separate IPv6 DNS configuration options, you may consider switching off IPv6 altogether.

If your router offers neither, your clients will bypass Pi-hole via IPv6.
(Unless its a very old router not supporting IPv6 at all).

1 Like

Thank you for your reply. I might not have explained myself very clearly, so let me try again.

I'm not having any issues with ipv6 bypassing my pihole, as my edgerouter x doesn't give out IPv6 DNS. All DNS points to my pihole.

I'm interested in having the Pihole handle local DNS resolution for IPv6 addresses of my local computers and containers.

For instance if I type ssh cbc02009@computer.lan into my terminal, I'd like the response from the pihole to contain both the IPv4 and IPv6 address for that host. I know I can manually add the IPv6 address for computer.lan into the local DNS record, but is there a way for that to happen automatically in the same way it handles the IPv4 domain?

No, not for all of a client's IPv6 addresses.

Even if a client acquires a DHCPv6 lease, its hostname will only get registered for the DHCPv6-assigned IPv6 address.

Yet acquiring such a lease won't stop your client to create other additional IPv6 addresses for itself (which I tried to refer to by "heavily favour client-side auto-configuration").
You can expect to see at least a link-local (fe80::/10 range) and some public IPv6 addresses, most likely a few Privacy Extension addresses among them, and maybe some ULAs as well.

dnsmasq (Pi-hole's embedded DHCP server) employs some heuristics to predict a client's EUI-64 interface identifier part and will automatically associate the hostname known for the same MAC if such an address exists.
However, quite a few IPv6 mechanisms will use a different method altogether to calculate the interface identifier.
Aforementioned IPv6 Privacy Extensions may be the most prominent example for this, and it would somehow counteract the very idea of those privacy addresses if they would be resolvable over a well known hostname via DNS.

Besides, public IPv6 addresses (2000::/3 range) are subject to be managed by a public DNS server, i.e. your ISP may have created generic AAAA records for your public IPv6 addresses (those normally look just like the IPv6 extended by a domain identifying your ISP, e.g. ip2003-dead-bf44-beef-badd-adfa-ceca-fe11.dip0.tele.com).

I had tried to do what u are and just gave up.

As far as I had learned about IPv6, it's impossible ATM for a router to receive a global prefix delegation and pass it to a remote DHCPv6+SLAAC server. Even locally it's tricky on most router OSs. OpenWRT doesn't have configs for it and does it by itself, pfSense requires statically setting the prefix and when ISP changes it we must notice and manually update the config. OPNsense has a project task to identify global prefix change and distribute it to other softwares, but it's not being worked. For SLAAC if think it's not even possible by design.

What I had done is disable DHCP on Pihole and use OpenWRT's odhcpd. It's able to receive my both ISPs' PD and has SLAAC and both DHCPv6 working, together with DNS resolving for LAN devices domain names. In its config I set for each device's MAC its IPv4 addr, IPv6 suffix and DNS name.

odhcpd has a badly documented config to set DNS server's IP addr, it's working for SLAAC and DHCPv6 and all my devices are using Pihole only.

Pihole's dnsmasq is set to forward queries for LAN domain do router, so that they are properly resolved. All other queries are forwarded to DNSCrypt, which forwards them to OpenDNS using DNSCrypt or DoH.

I don't think he wanna stop that from happening, and we don't need to care about that.

What we need is to tie each device's MAC to a LAN domain name and a suffix, which DHCPv6 concatenates to ULA prefix, GUA prefix+subnet, etc to attribute IPv6 addresses to devices using that suffix. Then tell DNS server to resolve domain names to ULA (at minimum).

On my LAN this is working even on my Android, so somehow it's working on SLAAC too.

Yeah, that's pretty much exactly what I was thinking. On the home network it should be safe to use the non-random MAC address based IPv6 addresses for communication between hosts. I'm definitely not trying to stop the creation of multiple addresses.

1 Like

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.