I'm running both Pi-Hole and Unbound on the same systems.
With Unbound I can specify specifically what IP Addresses (IPv4 + IPv6) the service will bind to.
I want to do the same with Pi-Hole.
Ideally I do not want to have to run unbound on different ports, and just run it on additional IP's. (IPv4 + IPv6)
Actual Behaviour:
Pi-Hole binds to all IPv6 adresses beloning to the specified interfaces. Even the static ones that I have added.
I believe below directives are the only ones that you can play with to manipulate listening behaviour:
listen-address=
bind-interfaces
And below one in the /etc/dnsmasq.d/01-pihole.conf file thats configured through the Pi-hole web GUI:
interface=
pi@noads:~ $ man dnsmasq
[..]
-i, --interface=<interface name>
Listen only on the specified interface(s). Dnsmasq automatically
adds the loopback (local) interface to the list of interfaces to
use when the --interface option is used. If no --interface or
--listen-address options are given dnsmasq listens on all avail‐
able interfaces except any given in --except-interface options.
IP alias interfaces (eg "eth1:0") cannot be used with --interface
or --except-interface options, use --listen-address instead. A
simple wildcard, consisting of a trailing '*', can be used in
--interface and --except-interface options.
[..]
-a, --listen-address=<ipaddr>
Listen on the given IP address(es). Both --interface and --lis‐
ten-address options may be given, in which case the set of both
interfaces and addresses is used. Note that if no --interface
option is given, but --listen-address is, dnsmasq will not auto‐
matically listen on the loopback interface. To achieve this, its
IP address, 127.0.0.1, must be explicitly given as a --listen-
address option.
[..]
-z, --bind-interfaces
On systems which support it, dnsmasq binds the wildcard address,
even when it is listening on only some interfaces. It then dis‐
cards requests that it shouldn't reply to. This has the advantage
of working even when interfaces come and go and change address.
This option forces dnsmasq to really bind only the interfaces it
is listening on. About the only time when this is useful is when
running another nameserver (or another instance of dnsmasq) on
the same machine. Setting this option also enables multiple
instances of dnsmasq which provide DHCP service to run in the
same machine.
[..]
I just did a test.
The problem is with Pi-Hole not being able to actually bind to an IP address on an interface, but only to all IP addresses on an interface.
You can add static IP's on different ways in Raspberry.
The legacy way is by using:
auto eth0
allow-hotplug eth0
iface eth0 inet static
...
auto eth0:0
allow-hotplug eth0:0
iface eth0:0 inet static
...
This will create a virtual interface... for IPv4.
By telling Pi-Hole it is allowed to bind to the IP of eth0, either through the interface command or by specifying the IP, it will only bind to the eth0 addresses.
But this is the legacy way... for IPv4.
For IPv6 this does not work, and the system will add all IPv6 addresses to the main interface.
Pi-Hole now binds to ALL IPv6 addresses on that interface.
I guess this is a limitation from DNSMasq... no matter what combination of settings I use, when I do not use the "virtual" interface option eth0:0, Pi-Hole will now also bind to all IPv4 addresses on eth0.
Or maybe there is a bug that it is not taking into account the configuration?
On the admin web GUI, have you tried changing "Interface listening behaviour" into "Listen on all interfaces, permit all origins" ?
That one changes the "interface=" line into "except-interface=nonexisting" on my setup.
After running with that setting for a short while... it seems Pi-Hole is unable to connect to my Unbound anymore. And when the cache times out all connections drop.
Changing the setting back does not result in my setup returning to normal.
For some reason Unbound can now not bind to anything anymore, not even when I tell it to bind to another IP with another port.
Ok... I solved the Unbound issue.
For some reason the system receives an IPv6 RA (local) before it brings up the static IPv6 interfaces.
In one of those interface declarations I had a static gateway configured. Although it did bring up the 1st IPv6 static address, the others would fail.
After removing the static IPv6 gateway declaration all started working again.
As I am now also doing DHCP and have IPv6 on the Pi-Hole, I need to check how I can control what RA is send out.