IPv6 and PiHole DHCP server

scottharman · March 19, 2020, 9:14am

Hi team
When enabling the DHCP server in the PiHole, any iOS clients can't access many sites - and my Windows boxes fall back to IPv4, but iPhones and iPads won't.
If I use the router's DHCP and DHCPv6 server, then all devices behave correctly, but conditional forwarding creates a forwarder loop trying to resolve local addresses (wpad.local and the apple equivalent)

My default router configuration does have IPv6 enabled, and I've allocated a local IPv6 address to my PiHole and this is able to resolve IPv6 addresses via Cloudflared.

I'd like to use conditional forwarding, or else have a fully functioning DHCP server on the PiHole, but I'm kind of stuck in the middle.
When enabling SLAAC+RA on the PiHole's DHCP server,. the windows devices play nicely, but the apple devices do not.

Any thoughts on how to test this or what settings I might need to make it work? I'm running it on a Pi4 presently, but was running it on a debian pizza box which was a bit of overkill.
As an interim measure I've blacklisted wpad.local, as when you connect to VPN, then it will successfully locate the proxy server as needed.

The debug log reports a second IPv6 address which appears to be a ULA address, but can't see where that's come from as I'm using static addressing on the Pi
I've followed the advice at Use IPv6 ULA addresses for Pi-hole and run the code snippet, so can try and re-enable the PiHole's DHCP server and see if that fixes it.

Debug token: 9hcc4zil9z

New debug token after manually adding the ULA IPv6 address - it's still reporting an issue

https://tricorder.pi-hole.net/xx8ug6o6j2

Bucking_Horn · March 19, 2020, 2:03pm

Welcome to the Pi-hole community, scottharman.

Your debug log shows your Pi-hole has been successfully introduced into your network, with full IPv4 and IPv6 connectivty.
It is also positively receiving, processing, blocking and forwarding DNS queries, so your network seems to be configured to make good use of Pi-hole.

There a few configuration options that need attention and maybe additional tweaking, however.

Verify your Upstream DNS server for Pi-hole (click for more)

You seem to aim at using your local cloudflared client as Pi-hole's upstream DNS:

PIHOLE_DNS_1=127.0.0.1#5053

Yet Pi-hole is forwarding to these servers instead:

   server=1.1.1.1
   server=1.0.0.1

It would seem that you have manually edited your setupVars.conf.

Pi-hole is creating that file during installation, to keep track of your choices, and to reflect on them during updates, but it is not meant for manual editing.

Don't be fooled by Pi-hole's UI to reflect your changes.

The following command is recommended to correctly and cohesively apply any settings:

pihole -r

and choose reconfigure.

Consider a different name for your local network.

.local is the default name used by the mDNS protocol as implemented by Apple's Bonjour or Linux' avahi software.

In case you have special use devices on your network (like a network printer, Time Capsule or AppleTV), this may potentially interfere with services these devices offer via mDNS.

If you are using your router as DHCP server, use of a ULA address is recommended, but you do not seem to use one. (click for more)

Your debug log shows no signs of a ULA address (fd00:/8) so far:

2a02:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx::75
fe80:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx::ec5e

There are three types of IPv6 address ranges that are relevant for you here (click for more)

While there is indeed much more to IPv6 addresses, we focus on the following for your network configuration:

range	description	visibility
`fe80::/10`	link-local	private network, same local segment only
`fd00::/8`	ULA	private network, potentially all local segments
`2000::/3`	global	all networks - public Internet and private network

Global IPv6 addresses (2000::/3) are commonly generated via IPv6 privacy extensions, making them temporary addresses that are valid only for a limited period (commonly 24 hours).

This translates in your Pi-hole being unreachable via its global address once that expires.

Luckily, your Pi-hole has a link-local address (fe80::/10) as well.
This is possibly fine if you use a flat network at home, with all devices connected to the same segment (i.e. directly to your router by LAN or WiFi).

If you employ additional routing hardware like L3 switches, APs or other routers, devices that are join your network through them won't be able to contact Pi-hole via its link-local address.

And that is where a ULA address comes in handy - it is stable (where your global IPv6 may change) and it is visible in all your home network segments (where link-local is restricted to exactly one).

If Pi-hole is set as DHCP server, the need to have a ULA address is diminished, as Pi-hole always announces its global IPv6 address automatically.

However, as you are not using your router as upstream DNS server, I don't see anything that would suggest a DNS loop, unless your cloudfared would somehow send its queries to Pi-hole, or your router (while your router would use Pi-hole as upstream DNS server at the same time).

The latter would also apply to Conditional Forwarding, so make sure your router just uses DHCP to distribute Pi-hole as local DNS server.

scottharman · March 19, 2020, 8:06pm

Thanks @Bucking_Horn
I'll check my IPv6 addressing again - I can ping my pihole by ipv6 from my windows machines, but trying to do it from my iphone has caused too much aggravation.

The router is allocating the PiHole as the IPv4 DNS server, and as the IPv6 DNS server correctly (or, at least as I've defined!)

The 2a02 address is the original address allocated by my router's DHCPv6 server, and I've got a reservation for my PiHole in there, but I'm happy to use a local link address if you think it will work.

Could that be why the pihole wasn't distributing IPv6 addresses correctly when I was using it as a DHCP server? I think that makes sense... but it's been a long day.

I'd really like this to be a good working config that I can then backup as a sane environment when I move countries and am without hardware and a lab for a couple of months while it's in a container again. The more I can have the Pi doing, the better.

Many thanks for your helpful response!

scottharman · March 19, 2020, 8:07pm

Hi again, @Bucking_Horn

Question - where does it show the PiHole is forwarding to cloudflare DNS?
I've checked my setupVars and that does show it's using cloudflared - plus it's what is shown in the admin interface too.
I'm not able to type in the cloudflared IP address into the config - it doesn't like the port number separated by either a colon or hash.

jfb · March 20, 2020, 12:49am

From the Pi terminal, run this command and it will show the forwarding destinations

echo ">forward-dest" | nc localhost 4711

scottharman · March 25, 2020, 9:05am

Thanks @jfb
I've tested, and it's all behaving correctly now.
I've had to give up on running the DHCP server on the pihole for the moment, as my router helpfully crashes when I try to disable it's internal DHCP server.
I suspect it needs a factory reset, but as it's got to be manually configured for Ethernet over WAN and has a manual IPv6 config, I can't be buggered sorted it out today.
That's a job for the weekend.

I suspect my issues originally were down to the fact that it looks like the DHCPv6 server in my router wasn't working correctly, and conditional-forwarding in the PiHole as forwarding the wpad router request messages.
I've seen some other threads about this, so will look to address this in other ways, then re-enable conditional-forwarding (as that's creating the lookup loop)
Cheers
Scott

system · April 15, 2020, 9:05am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.