Hi all
I have used piHole for many years successfully, it is a great tool. In order to expand my knowledge I have undertaken a couple of personal projects, namely Docker and IPv6.
I now have PiHole successfully running in Docker, using a Compose file to stop and start the container and also with PiHole supporting IPv6 fully, ie resolving and blocking IPv6 DNS requests.
My TP-Link Router provides the DNS Server addresses (the two RaspPis running PiHole) via DHCP (IPv4) and RA/RDNSS (IPv6) to the client devices. I have created DNS records in PiHole to provide the Hostnames for each client and the Dashboard and logs work well APART from the 4 iOS devices that use piHole.
These iOS Devices appear to use temporary IPv6 addresses for new connections every 24 hours or so, so I am unable to create useful DNS records for them. The Dashboard and Logs displays the many different IPv6 addresses for these 4 clients, not the Host Names.
Is there a method of creating a Host Name within PiHole using the MAC address of a device?
Alternatively, is anyone aware of any method of configuring iPhone and iPad to use a stable private IPv6 GUA? This is the solution that I have used on the Windows and Linux clients to enable the use of DNS records within piHole.
The entire internal network sits behind a Firewall which blocks all new incoming IPv6 connections so whilst the internal clients use public IPv6 GUAs they cannot be accessed externally.
Any ideas or suggestions would be welcome
thanks
mhoam
Try turning off RA/RDNSS completely, so your clients would be unaware of any IPv6 DNS server address.
As your clients would then talk to Pi-hole via IPv4 only, it would be both easier to identify them as well as less client IPs to deal with in Pi-hole's dashboard and Query Log.
This may be Apple's Private Wi-Fi Address feature creating random MAC addresses periodically. For IPv4 it will cause a DHCP server to lease a new IP because it sees it as a new client, so I suspect a similar action with IPv6 where the derived address changes because the MAC has changed.
The feature is supposed to keep the same random MAC address for a given network, only letting it expire if some time has elapsed, but in my experience it changes quite often on the same network.
If you want to test this, you can disable this feature on a per-network basis. In iOS it's in Settings > Wi-Fi > select theⓘnext to the Wi-Fi network name > Private Wi-Fi Address > disable. This will return the phone to its actual Apple fixed MAC address on that network.
Thanks for the response, I understand I can disable IPv6 to resolve the problem. As this is a learning project, that’s not what I want to do as yet.
I received many similar replies whilst attempting to configure Docker to use IPV6 alongside IPv4 which was not straightforward
Cheers
It's only disabling RA/RDNS, not disabling IPv6 altogether.
Your clients will continue to talk IPv6 to any target they wish, it's just that they send their requests to Pi-hole via IPv4, including AAAA requests for IPv6 addresses.
With IPv6, clients addresses can be expected to fluctuate over time.
Commonly, IPv6 clients will prefer using temporary addresses for their public connections.
So if a client would be using a global address to talk to Pi-hole, it will be likely that you see its IPv6 interface id portions change over time - and that's in addition to any IPv6 prefix changes that your router/ISP will announce.
What's the scope of your Pi-hole's IPv6 address that your router is advertising?
@Bucking_Horn
I have a fixed /56 IPv6 address range from my ISP but only using a /64 range internally, so the network prefix will not change, unless I change my ISP, unlikely at the moment.
All my clients (Windows, Linux and 3 Raspi ) are configured to use “stable privacy” IPv6 addresses so the GUAs on my devices are not changing. Apart from the Apple devices of course My Docker containers have ULAs defined and I would have preferred to use ULAs on my internal network but Docker does not currently bridge the host address into the Container unless it is a GUA. Presumably this is because it requires a GUA to “route” the connection between the host and the container. Obviously IPv4 uses NAT between the host and container address ranges.
Not using IPv6 for DNS seems possible by changing my Router configuration to use a different addressing mechanism (Stateless RA) Obviously I don’t want me clients to assume the default DNS servers from my DSP on IPv6 as this would bypass the PiHole’s domain filtering. I would prefer to resolve the Host Name issue on these devices “properly” if possible. I also intend to research the use of ULAs with Docker but I’m not sure whether this would stop iOS using temporary IPv6 addresses.
I’m sure the designers of IPv6 had the best intentions but they clearly worked to a set of “pure” criteria rather than a pragmatic approach.
Thanks for your feedback
Cheers
Is that guaranteed by contract?
I'm asking because depending of your country of residence, IPv6 prefixes may be required to change regularly, e.g once per day or per week.
When that's not a requirement, arbitrary prefix changes may still occur, e.g. when your router is power-cycled.
Depending on your OS and configuration, temporary IPv6 addresses (aka Privacy Extension addresses) may still be created in addition to those RFC7217 stable opaque ids. This would also be the recommended way, as temporary addresses being used for public requests would make it harder to track you (though a fixed prefix can be still be tracked to your home).
And of course, there may be clients whose IPv6 configuration you can't control, e.g. IoT devices or TVs.
If you are intent on keeping IPv6 DNS services despite these difficulties, you could try to configure your router to advertise Pi-hole's link scope LLA, so clients will use their LLA in turn, which often is easier to identify (for lack of temporary addresses).
@Bucking_Horn
Thanks for the information, I’m in the UK and whilst not contracted my ISP has assured me that my /56 is not intended to be changed. However, I take your points seriously about devices that I may not be able to configure. Originally I did try to use the LLAs of my DNS servers. However I came up against the same problem with Docker, even the admin interface of piHole on port 80 could not be accessed via the LLA of the host because the IPv6 packets were not bridged into the container.
I understand that I’m trying to obtain a “perfect” solution which may not be available, just frustrated that I got so close to getting PiHole inside a Docker container with IPv6 fully working
Cheers
@Bucking_Horn
Whilst investigating the use of ULAs, I found that since the RFC that changed the rules for IP address selection in a dual stack environment over ten years ago, the IP4 address is preferred over a ULA so the ULA would not be used!
I also found this quote from 2012 which I found funny:-
“It is cheering to see that the IPv6 ivory tower still stands despite years of attack by reality.”
Sums it up really
Cheers
@DanSchaper
I’m afraid you don’t seem to have read my original post. I do have PiHole running in a Docker Container using IPv6 alongside IPv4. I can access the admin interface of PiHole via the host Raspi IPv6 address and I can see queries coming into PiHole from IPv6 addresses. The logs show IPv6 DNS queries being resolved and blocked.
It definitely wasn’t straightforward but it is possible.
As I stated I have created DNS records for both IP4 and IP6 addresses that resolve host names for my Windows and Linux devices, it is only the iOS devices that always use temporary IPv6 addresses that show “raw” IPv6 addresses in the dashboard and logs.
Further investigation prompted by @Bucking_Horn questions show that IPv6 DNS itself has many questions relating to useability and performance for which I am grateful.
Cheers
Docker is IPv4 only by default, so you had to configure both your docker installation as well as the container to get IPv6 support.
AFAIR, the reason IPv6 is not enabled by default have been security concerns, probably as container level global scope addresses may inadvertently break container isolation.
This may also be among the reasons why Docker's IPv6 support is still experimental (which is probably why Dan suggested you shouldn't currently have it).
It's not that simple.
IPv6 address selection employs quite an elaborate procedure to determine address usage based on source and target addresses, i.e. it would be specific to the source's network interface states, its assigned addresses and the addresses it knows for a given target.
Furthermore, while different RFCs over time defined different defaults, note that IPv6 prefix policies are configurable.
This results in different behaviour over different OS releases, versions and devices, making it hard to predict actual client behaviour, unless you are willing to and allowed to inspect its current prefix policy table.
All things considered, you should expect to see a mix of IPv6 addresses used by clients talking to your Pi-hole.
You should also note that reverse lookups for public GUA addresses are resolved by public DNS servers, so your ISP's DNS servers control your clients' public names.
Since there is no loss of functionality in DNS, regardless whether requests are transported via IPv4 and IPv6, I personally am more comfortable (almost perfect ) to just distribute an IPv4 DNS server, and to not advertise an IPv6 server at all (provided your router supports it). This approach is viable unless you would happen to have an IPv6 only device in your network.
I don't think this would hurt your intention to learn IPv6 by much, since all your traffic would still utilise IPv6 as before, with the one exception of DNS queries to your Pi-hole (which could be viewed as a result of this learning experience).
@Bucking_Horn
Many thanks for your feedback and useful information. I have definitely learned lots from researching the questions and comments in your replies.
I have come to agree with your position and will investigate my router configuration regarding the publication of IP4 DNS servers only to the clients whilst retaining the use of IPv6 across my network.
Cheers
My Docker containers have ULAs defined and I would have preferred to use ULAs on my internal network but Docker does not currently bridge the host address into the Container unless it is a GUA. Presumably this is because it requires a GUA to “route” the connection between the host and the container. Obviously IPv4 uses NAT between the host and container address ranges.
) to just distribute an IPv4 DNS server, and to not advertise an IPv6 server at all (provided your router supports it). This approach is viable unless you would happen to have an IPv6 only device in your network.