How to limit binding of Pi-Hole to specific IPv6 addresses on the same interface?

dschout · August 29, 2018, 5:46pm

Expected Behaviour:

I'm running both Pi-Hole and Unbound on the same systems.
With Unbound I can specify specifically what IP Addresses (IPv4 + IPv6) the service will bind to.
I want to do the same with Pi-Hole.

Ideally I do not want to have to run unbound on different ports, and just run it on additional IP's. (IPv4 + IPv6)

Actual Behaviour:

Pi-Hole binds to all IPv6 adresses beloning to the specified interfaces. Even the static ones that I have added.

[fe80::ba27:ebff:fe56:747d]:53 pihole-FTL (IPv6)
[2001:xxx:yyy:1001:ba27:ebff:fe56:747d]:53 pihole-FTL (IPv6)
[2001:xxx:yyy:1001:10:1:0:201]:53 pihole-FTL (IPv6)
[2001:xxx:yyy:1001:10:1:0:211]:53 pihole-FTL (IPv6)
[2001:xxx:yyy:1001:63a6:2a9a:fc1c:c55c]:53 pihole-FTL (IPv6)

I only want it to bind to the local and 1 additional static IPv6 address.

Debug Token:

Your debug token is: 4we6esyj6m

Thanks!

deHakkelaar · August 29, 2018, 6:16pm

dschout · August 29, 2018, 7:00pm

Sorry, but that answer only works for IPv4 not for IPv6

And I expect that it works per interface not per secondary IP's..
I already have the suggested settings in my config.

Initially I had:

listen-address=127.0.0.1,10.1.0.201,2001:xxx:yyy:1001:10:1:0:201

bind-interfaces

I also tried:

listen-address=127.0.0.1
listen-address=10.1.0.201
listen-address=2001:xxx:yyy:1001:10:1:0:201

bind-interfaces

But Pi-Hole still keeps binding to ALL IPv6 addresses.
For IPv4 it works like a charm.

deHakkelaar · August 29, 2018, 7:15pm

I believe below directives are the only ones that you can play with to manipulate listening behaviour:

listen-address=

bind-interfaces

And below one in the /etc/dnsmasq.d/01-pihole.conf file thats configured through the Pi-hole web GUI:

interface=

pi@noads:~ $ man dnsmasq
[..]
       -i, --interface=<interface name>
              Listen  only on the specified interface(s). Dnsmasq automatically
              adds the loopback (local) interface to the list of interfaces  to
              use  when  the  --interface option  is used. If no --interface or
              --listen-address options are given dnsmasq listens on all  avail‐
              able  interfaces  except any given in --except-interface options.
              IP alias interfaces (eg "eth1:0") cannot be used with --interface
              or  --except-interface  options,  use --listen-address instead. A
              simple wildcard, consisting of a trailing '*',  can  be  used  in
              --interface and --except-interface options.

[..]
       -a, --listen-address=<ipaddr>
              Listen on the given IP address(es). Both --interface  and  --lis‐
              ten-address  options  may be given, in which case the set of both
              interfaces and addresses is used. Note  that  if  no  --interface
              option  is given, but --listen-address is, dnsmasq will not auto‐
              matically listen on the loopback interface. To achieve this,  its
              IP  address,  127.0.0.1,  must be explicitly given as a --listen-
              address option.
[..]
       -z, --bind-interfaces
              On systems which support it, dnsmasq binds the wildcard  address,
              even  when  it is listening on only some interfaces. It then dis‐
              cards requests that it shouldn't reply to. This has the advantage
              of  working  even when interfaces come and go and change address.
              This option forces dnsmasq to really bind only the interfaces  it
              is  listening on. About the only time when this is useful is when
              running another nameserver (or another instance  of  dnsmasq)  on
              the  same  machine.  Setting  this  option  also enables multiple
              instances of dnsmasq which provide DHCP service  to  run  in  the
              same machine.
[..]

I dont have ipv6 to try it out though

dschout · August 29, 2018, 8:43pm

I just did a test.
The problem is with Pi-Hole not being able to actually bind to an IP address on an interface, but only to all IP addresses on an interface.

You can add static IP's on different ways in Raspberry.
The legacy way is by using:

auto eth0
allow-hotplug eth0
iface eth0 inet static
...

auto eth0:0
allow-hotplug eth0:0
iface eth0:0 inet static
...

This will create a virtual interface... for IPv4.

By telling Pi-Hole it is allowed to bind to the IP of eth0, either through the interface command or by specifying the IP, it will only bind to the eth0 addresses.

But this is the legacy way... for IPv4.

For IPv6 this does not work, and the system will add all IPv6 addresses to the main interface.
Pi-Hole now binds to ALL IPv6 addresses on that interface.

I guess this is a limitation from DNSMasq... no matter what combination of settings I use, when I do not use the "virtual" interface option eth0:0, Pi-Hole will now also bind to all IPv4 addresses on eth0.

Or maybe there is a bug that it is not taking into account the configuration?

dschout · August 30, 2018, 8:06am

I fixed it.

It seems that Pi-Hole is setting the "interface=" by default in the /etc/dnsmasq.d/01-pihole.conf

Without the "interface=eth0" setting, the "listen-address=" settings are followed to the letter.
I'm not sure why Pi-Hole is setting this by default.

deHakkelaar · August 31, 2018, 1:49am

On the admin web GUI, have you tried changing "Interface listening behaviour" into "Listen on all interfaces, permit all origins" ?
That one changes the "interface=" line into "except-interface=nonexisting" on my setup.

I believe your asked during install.

dschout · August 31, 2018, 7:20am

After running with that setting for a short while... it seems Pi-Hole is unable to connect to my Unbound anymore. And when the cache times out all connections drop.

Changing the setting back does not result in my setup returning to normal.
For some reason Unbound can now not bind to anything anymore, not even when I tell it to bind to another IP with another port.

dschout · August 31, 2018, 8:19am

For some reason after this change, my second static IPv6 address is not accepted anymore. Hence unbound not starting.

dschout · August 31, 2018, 8:55am

Ok... I solved the Unbound issue.
For some reason the system receives an IPv6 RA (local) before it brings up the static IPv6 interfaces.
In one of those interface declarations I had a static gateway configured. Although it did bring up the 1st IPv6 static address, the others would fail.

After removing the static IPv6 gateway declaration all started working again.

As I am now also doing DHCP and have IPv6 on the Pi-Hole, I need to check how I can control what RA is send out.

But... this setting works perfectly Thanks!

dschout · August 31, 2018, 8:58am

Just reinstalled on a second RBP, the Interface Listening behaviour is not an option presented during install.

deHakkelaar · August 31, 2018, 5:31pm

Its been a while since I run the installer

system · September 21, 2018, 5:31pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.