_I've configured a pi-hole on a rasperry pi. I'm using latest raspbian OS. I have disabled the router DHCP server, and enabled Pi-Hole one. I can't find any option on the router for a specific DHCPv6 server, but I don't think is any.
When I run on a windows (11) client I get following:
What you want is configure an IPv6 ULA prefix on the router and a fixed IPv6 suffix for the the static pihole IPv6 configuration (that suffix will apply to both ULA and global addresses). Make sure the subnet prefix used for /64 assignments is also static or define one to be sure.
Then you can add the pi-hole's ULA address (should be ULA prefix + subnet prefix + static suffix, easiest is to check on the pi.hole for a matching fc00::/7 address) in your router's IPv6 DNS configuration, overriding the upstream's DNS address like you did for IPv4.
EDIT: Actually you mentioned you're using pi-hole for DNS, are you sure you properly disabled IPv6 RA/DHCPv6 on your router? IPv4 and IPv6 configuration happens in parallel and it's possible your clients are still getting their IPv6 configuration from the router. If you wish to retain IPv6 connectivity the pi-hole will have to provide the proper IPv6 configuration itself, which may be non-trivial (I haven't looked into that as I use my router's DHCP).
Yes but if the router is assigning IPv6 you won't see the client names in pi-hole. Since IPv6 configuration relies on the router's delegation from your ISP (assuming standard home user's non-static configuration) I don't see a straightforward way to fix this (if you use unbound you can always forward the ipv6 reverse lookups to the router... This is what I did for both IPv4 and IPv6 with all dhcp happening on my router). Or you could use a NAT6 configuration with only ULA addresses in the lan.
I can't find any option to disable DHCPv6 in router. I'm not sure if it happens anyway, is there any tool to check what DHCPv6 servers are active on the nework ?
Disabling ipv6 in clients absolutely works, but I don't want to do that for all clients on the nework, it's not a very flexible solution.
Do you even have an IPv6 address? Many ISP still don't provide IPv6, but the router and devices will still auto-configure IPv6 by default using link-local and site-local addresses (starting in the fc-fe range). That allows only local communications so it would be safe to disable (and should ideally be done on the router, not client).
If you do have an externally-accessible IPv6 address and the router is provided by your ISP, you should ask them how you can override IPv6 DNS servers. It's really a problem with their firmware if they push an IPv6 DNS server but doesn't allow you to control that, even though it's allowing you to control the DNS servers sent to clients (knowing how many routers are built internally I can see how this got trough, but it's really a bug if you can override the IPv4 DNS but it's still sending an IPv6 one pointing at a local recursive resolver).
If you bought the router yourself, look for a firmware update, raise the issue to your router's manufacturer or upgrade to one that has a proper IPv6 configuration interface (note it may also be hidden in advanced settings...).
P.S.: it does not mater if you have external IPv6 connectivity or not, the clients can still use an internal IPv6 server to request IPv4 addresses, and use an IPv4 server to request IPv6 addresses.
The ipv6 address is local ("fe80:..."), there's no external one, I even checked on https://test-ipv6.com/ .
As I can't find no option, I'll have to ask the ISP if they can disable that in my router, which they'll probably not be able to, so the other solution will be to either buy a new router, or manually disable ipv6 on each workstation or make the RPI an AP instead of router.
I'm asking again tho, is there some way to find if the router acts like DHCPv6 server even if v4 is disabled (or even if not).
The router is ZXHN H267A V1.0 if anyone has any idea about it, let me know, I couldn't find anything online. The software is modded by the ISP.
LE:
I've used rdisc6, to get more info. The Pi-Hole is off right now, for clear testing.
With DHCPv4 set on
pi@B:~ $ rdisc6 eth0
Soliciting ff02::2 (ff02::2) on eth0...
Hop limit : 64 ( 0x40)
Stateful address conf. : No
Stateful other conf. : Yes
Mobile home agent : No
Router preference : medium
Neighbor discovery proxy : No
Router lifetime : 0 (0x00000000) seconds
Reachable time : 30000 (0x00007530) milliseconds
Retransmit time : 1000 (0x000003e8) milliseconds
Recursive DNS server : fe80::1
DNS server lifetime : 900 (0x00000384) seconds
Source link-layer address: XX:XX:XX:XX:XX
from fe80::1
With DHCPv4 set to off
pi@B:~ $ rdisc6 eth0
Soliciting ff02::2 (ff02::2) on eth0...
Hop limit : 64 ( 0x40)
Stateful address conf. : No
Stateful other conf. : Yes
Mobile home agent : No
Router preference : medium
Neighbor discovery proxy : No
Router lifetime : 0 (0x00000000) seconds
Reachable time : 30000 (0x00007530) milliseconds
Retransmit time : 1000 (0x000003e8) milliseconds
Recursive DNS server : fe80::1
DNS server lifetime : 900 (0x00000384) seconds
Source link-layer address: XX:XX:XX:XX:XX
from fe80::1
If your IPv6 capable devices would only carry a link-local IPv6 address (range fe80::/8), that would suggest that your ISP didn't assign you a public IPv6 prefix, and thus that they haven't enabled IPv6 on your connection.
Indeed, there wouldn't be much else they could do on their side - apart from supplying you with a proper documentation of your router.
Your observation strongly suggests that your router is propagating its own IPv6 address as DNS server.
Your clients are using your router's IPv6 for DNS.
They may have acquired it by one of three ways:
i) by requesting it from your router's DHCPv6 server (via either Stateless or Stateful DHCPv6)
ii) by picking it up from your router's RA (router advertisement)
iii) by being manually configured to use your router's IPv6 for DNS
I'd assume you would have known and told us if you set a manual IPv6 DNS server on a client, which would leave your router as the source.
DHCP is strictly IPv4.
I wouldn't expect any impact on neither DHCPv6 nor RA when switching it on and off.
But my initial advice remains fully applicable.:
To be sure, you have to consult your router's documentation.
Look for options that allow configuring an IPv6 DNS server address that would apply to both DHCPv6 and RA, which may have separate controls of their own.
If you cannot set an IPv6 DNS server, try to disable both DHCPv6 and RA.
If you cannot set those indiidually or at all, disable IP6 support altogether.
Again, you'd have to consult your router's documentation to find out about the details.
If your router doesn't support any of the above, your clients will continue to be able to bypass Pi-hole via IPv6.
Disabling IPv6 on the pi.hole won't help... I suspect the router is based on openwrt or dd-wrt which comes with IPv6 turned on by default, and they didn't even bother turning it off nor including the UI to let the user do it (actually if you have a main switch for IPv6, try turning it on to see if it enables configuration options for DHCPv6 and IPv6 RA).
It's a problem as you can see because your router is actively configuring devices and you have no control over what it's doing.
If your router allows setting firewall rules that could be another way to block this, but you need to be able to set IPv6 rules, and I doubt there isn't even any firewall options on most ISP routers, let alone IPv6 firewall.
Your ISP may be able to fix the router image if you manage to raise it up to the engineering team that customized it, I suggest you clearly demonstrate there is a bug (stress on the fact your router allows setting a different DNS server but still advertise its own IPv6 server so the setting is not working and this is a bug). Threaten to change ISP if they don't fix the bug or change your router for one that works properly.
If you bought the router and own it, you could also look at flashing a stock image (which may have the proper IPv6 config) or even a custom one like OpenWRT or DD-WRT if supported by your router hardware... You will be on your own though for configuring the router or recovering it if the flashing fails. I would recommend having a backup solution (ex an old router that you can use in the interim) in case of issues.
