Inconsistent/broken IPv6 DNS resolution

I recently got a new router (Linksys Velop MX5300 with 2 nodes) which has IPv6 support. I disabled DHCP on the router and am using the pi-hole. My pi-hole instance is running on a raspberry pi 3 running buster, latest updates on everything, Cloudflare DoH, pi-hole as the DHCP server, and have Enable IPv6 support (SLAAC + RA) enabled. However, I'm getting very erratic/broken behavior regarding DNS resolution, basically pi-hole will not be used for DNS on some devices, like my MacBook Pro running Catalina. pi.hole does not resolve (but I can access the UI with the IPv4 address of the rpi) and websites I explicitly blacklisted will load. I'm pretty sure that this is due to IPv6, my router doesn't have very much in the way of clear settings but there's a checkbox labeled IPv6 - Automatic that I can disable which looks like it disables IPv6 altogether (https://ipv6-test.com/ will go from 'supported' to 'unsuppported' but devices still have IPv6 addresses in 'ifconfig'). I recently stumbled upon something that said to put:

enable-ra
ra-param=eth0,high,10,1200

in /etc/dnsmasq.d/05-custom-settings.conf so I did that and things seemed all right for a couple days, but then pi-hole DNS resolution started failing again and nothing would fix it with IPv6 enabled. If I disconnect wifi then reconnect, DNS resolution will work for a couple seconds then start failing again, I assume it starts with IPv4 (works) then switches to IPv6 and starts failing. I initially setup my pi-hole on a router without IPv6, so I added the raspberry pi IPv6 address to /etc/pihole/setupVars.conf and restarted, but that doesn't appear to have helped anything. I would really prefer to be able to use IPv6, partially because I don't trust my router settings to fully disable it and want to avoid IPv6 DNS leakage to my ISP's DNS.

Debug Token:

https://tricorder.pi-hole.net/pp91s7w4th

IPv6 can be tricky indeed, as it heavily favours auto configuration.

Very likely, your router will continue to advertise your ISP's IPv6 DNS server addresses on your network. Any client joining your network will see those advertisements in addition to those of Pi-hole.

It would then depend entirely upon a client's implementation which DNS server it would prefer, and that mechanism is a black box from the user perspective.

Add to this that many clients, especially Smartphones, will prefer IPv6 over IPv4, and that'd explain why you may see Pi-hole being by-passed regularly.

Now, even if we can't tell exactly how a specific device will pick a DNS server (this is also largely true for IPv4, btw), we can safely assume that any device will ignore a DNS server address that's not available.
And this would be the case if your Pi-hole's IPv6 address would be changing.

With IPv6, this could happen if your ISP would change your network's IPv6 prefix, and some ISP do this on a regular basis.

If that's the case for you, you should avoid using a public IPv6 address (from 2000::/3 range). Try to Use IPv6 ULA addresses for Pi-hole instead.

Another way to tackle this would be to change your device's preferences to prefer IPv4 over IPv6. But I am unaware of any Smartphone OS that would allow you to do so, so this is likely not going to help you.

And finally, you could try to disable IPv6 altogether on your network (unless you are dependent on IPv6 for any reason).

If your devices would still list a link-local adress (in fe80::/10 range), that should be ok. As long as none of your devices has a public IPv6 address (aka GUA, 2000::/3 range), your IPv6 DNS traffic will stay in your network or even cease completely.

1 Like

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.